You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have verified that I am using the latest version of ImageMagick
I have searched open and closed issues to ensure it has not already been reported
Description
There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.
Steps to Reproduce
poc
magick convert $poc ./test.sgi ================================================================= ==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40 WRITE of size 1 at 0x7f70c67db7f8 thread T0 #0 0x6c216e in WriteSGIImage coders/sgi.c:1051 #1 0x849036 in WriteImage MagickCore/constitute.c:1159 #2 0x849d5b in WriteImages MagickCore/constitute.c:1376 #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305 #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185 #5 0x4100a1 in MagickMain utilities/magick.c:149 #6 0x410282 in main utilities/magick.c:180 #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)
0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800) allocated by thread T0 here: #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076) #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265 #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621 #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030 #4 0x849036 in WriteImage MagickCore/constitute.c:1159 #5 0x849d5b in WriteImages MagickCore/constitute.c:1376 #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305 #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185 #8 0x4100a1 in MagickMain utilities/magick.c:149 #9 0x410282 in main utilities/magick.c:180 #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage Shadow bytes around the buggy address: 0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==41720==ABORTING
Prerequisites
Description
There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.
Steps to Reproduce
poc
magick convert $poc ./test.sgi
=================================================================
==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40
WRITE of size 1 at 0x7f70c67db7f8 thread T0
#0 0x6c216e in WriteSGIImage coders/sgi.c:1051
#1 0x849036 in WriteImage MagickCore/constitute.c:1159
#2 0x849d5b in WriteImages MagickCore/constitute.c:1376
#3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305
#4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185
#5 0x4100a1 in MagickMain utilities/magick.c:149
#6 0x410282 in main utilities/magick.c:180
#7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)
0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)
allocated by thread T0 here:
#0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
#1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265
#2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621
#3 0x6c1ead in WriteSGIImage coders/sgi.c:1030
#4 0x849036 in WriteImage MagickCore/constitute.c:1159
#5 0x849d5b in WriteImages MagickCore/constitute.c:1376
#6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305
#7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185
#8 0x4100a1 in MagickMain utilities/magick.c:149
#9 0x410282 in main utilities/magick.c:180
#10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage
Shadow bytes around the buggy address:
0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==41720==ABORTING
System Configuration
Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org
Copyright: ? 1999-2019 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.0)
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
The text was updated successfully, but these errors were encountered: