I have verified that I am using the latest version of ImageMagick
I have searched open and closed issues to ensure it has not already been reported
Description
There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.
Steps to Reproduce
poc
magick convert $poc ./test.sgi ================================================================= ==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40 WRITE of size 1 at 0x7f70c67db7f8 thread T0 #0 0x6c216e in WriteSGIImage coders/sgi.c:1051 #1 0x849036 in WriteImage MagickCore/constitute.c:1159 #2 0x849d5b in WriteImages MagickCore/constitute.c:1376 #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305 #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185 #5 0x4100a1 in MagickMain utilities/magick.c:149 #6 0x410282 in main utilities/magick.c:180 #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)
0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800) allocated by thread T0 here: #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076) #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265 #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621 #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030 #4 0x849036 in WriteImage MagickCore/constitute.c:1159 #5 0x849d5b in WriteImages MagickCore/constitute.c:1376 #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305 #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185 #8 0x4100a1 in MagickMain utilities/magick.c:149 #9 0x410282 in main utilities/magick.c:180 #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage Shadow bytes around the buggy address: 0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==41720==ABORTING
Prerequisites
Description
There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.
Steps to Reproduce
poc
magick convert $poc ./test.sgi
===================================================================41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40WRITE of size 1 at 0x7f70c67db7f8 thread T0#0 0x6c216e in WriteSGIImage coders/sgi.c:1051#1 0x849036 in WriteImage MagickCore/constitute.c:1159#2 0x849d5b in WriteImages MagickCore/constitute.c:1376#3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305#4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185#5 0x4100a1 in MagickMain utilities/magick.c:149#6 0x410282 in main utilities/magick.c:180#7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)allocated by thread T0 here:#0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)#1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265#2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621#3 0x6c1ead in WriteSGIImage coders/sgi.c:1030#4 0x849036 in WriteImage MagickCore/constitute.c:1159#5 0x849d5b in WriteImages MagickCore/constitute.c:1376#6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305#7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185#8 0x4100a1 in MagickMain utilities/magick.c:149#9 0x410282 in main utilities/magick.c:180#10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImageShadow bytes around the buggy address:0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe==41720==ABORTINGSystem Configuration
Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.orgCopyright: ? 1999-2019 ImageMagick Studio LLCLicense: https://imagemagick.org/script/license.phpFeatures: Cipher DPC HDRI OpenMP(4.0)Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlibDistributor ID: UbuntuDescription: Ubuntu 16.04.1 LTSRelease: 16.04Codename: xenialThe text was updated successfully, but these errors were encountered: