Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in MagickCore/statistic.c #1586

Closed
3 tasks done
SuhwanSong opened this issue Jun 10, 2019 · 3 comments
Closed
3 tasks done

heap-buffer-overflow in MagickCore/statistic.c #1586

SuhwanSong opened this issue Jun 10, 2019 · 3 comments
Labels
bug
Milestone
7.0.8-50

Comments

@SuhwanSong
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap buffer overflow vulnerability in MagickCore/statistic.c:654:41 in .omp_outlined.debug_.10

Steps to Reproduce

run cmd:
magick "-black-point-compensation" "-interlace" "none" "(" "magick:rose" "-density" "302x531" ")" "(" "magick:granite" "+repage" ")" "-antialias" "-evaluate-sequence" "Log" ""

This is about heap-buffer-overflow log using ASAN.

==27479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000018800 at pc 0x0000006205ab bp 0x7ffd7a503310 sp 0x7ffd7a503308
WRITE of size 8 at 0x629000018800 thread T0
    #0 0x6205aa in .omp_outlined._debug__.10 MagickCore/statistic.c:654:41
    #1 0x621c5e in .omp_outlined..11 MagickCore/statistic.c:618:7
    #2 0x7f79836bd452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f79836771b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f79836782b5 in __kmp_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x372b5)
    #5 0x7f798366b7be in __kmpc_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x2a7be)
    #6 0x61c9ca in EvaluateImages MagickCore/statistic.c:615:15
    #7 0x13fcdb9 in CLIListOperatorImages MagickWand/operation.c:4081:22
    #8 0x1406ec5 in CLIOption MagickWand/operation.c:5276:14
    #9 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x531745 in MagickMain utilities/magick.c:149:10
    #13 0x531091 in main utilities/magick.c:180:10
    #14 0x7f7983059b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x425819 in _start (install/bin/magick+0x425819)

0x629000018800 is located 0 bytes to the right of 17920-byte region [0x629000014200,0x629000018800)
allocated by thread T0 here:
    #0 0x4efb47 in __interceptor_malloc (install/bin/magick+0x4efb47)
    #1 0x5824e7 in AcquireMagickMemory MagickCore/memory.c:478:10
    #2 0x58254f in AcquireQuantumMemory MagickCore/memory.c:551:10
    #3 0x61cfee in AcquirePixelThreadSet MagickCore/statistic.c:175:33
    #4 0x61ba43 in EvaluateImages MagickCore/statistic.c:493:19
    #5 0x13fcdb9 in CLIListOperatorImages MagickWand/operation.c:4081:22
    #6 0x1406ec5 in CLIOption MagickWand/operation.c:5276:14
    #7 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #8 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #9 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #10 0x531745 in MagickMain utilities/magick.c:149:10
    #11 0x531091 in main utilities/magick.c:180:10
    #12 0x7f7983059b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/statistic.c:654:41 in .omp_outlined._debug__.10

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information: CC=clang-7 CXX=clang++-7
@SuhwanSong
Copy link
Author

SuhwanSong commented Jun 16, 2019
edited

I followed this comment, and I found this bug exists with --disable-openmp option.

I ran the same command that I've reported in this issue and I got heap-buffer-overflow in MagickCore/statistic.c:654:41 in EvaluateImages.

Here's ASAN log.

==6072==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000013800 at pc 0x7f15722ea9aa bp 0x7ffe9cf7b240 sp 0x7ffe9cf7b238
WRITE of size 8 at 0x629000013800 thread T0
    #0 0x7f15722ea9a9 in EvaluateImages MagickCore/statistic.c:654:41
    #1 0x7f15718ff5ac in CLIListOperatorImages MagickWand/operation.c:4081:22
    #2 0x7f157190934e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7f157174aa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7f157174bd0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7f1571795ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7f156c20cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x629000013800 is located 0 bytes to the right of 17920-byte region [0x62900000f200,0x629000013800)
allocated by thread T0 here:
    #0 0x4e5397 in __interceptor_malloc (install/bin/magick+0x4e5397)
    #1 0x7f15721843d6 in AcquireMagickMemory MagickCore/memory.c:478:10
    #2 0x7f157218443f in AcquireQuantumMemory MagickCore/memory.c:551:10
    #3 0x7f15722eb92e in AcquirePixelThreadSet MagickCore/statistic.c:175:33
    #4 0x7f15722e9e41 in EvaluateImages MagickCore/statistic.c:493:19
    #5 0x7f15718ff5ac in CLIListOperatorImages MagickWand/operation.c:4081:22
    #6 0x7f157190934e in CLIOption MagickWand/operation.c:5276:14
    #7 0x7f157174aa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #8 0x7f157174bd0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #9 0x7f1571795ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #10 0x526f95 in MagickMain utilities/magick.c:149:10
    #11 0x5268e1 in main utilities/magick.c:180:10
    #12 0x7f156c20cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/statistic.c:654:41 in EvaluateImages

The program doesn't give any exception in this case
Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-16 https://imagemagick.org

@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit that referenced this issue Jun 16, 2019
https://github.com/ImageMagick/ImageMagick/issues/1586
a906fe9
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jun 16, 2019
https://github.com/ImageMagick/ImageMagick/issues/1586
5e409ae
@dlemstra dlemstra added the bug label Jun 16, 2019
@dlemstra dlemstra added this to the 7.0.8-50 milestone Jun 16, 2019
@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13300.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
7.0.8-50
Development

No branches or pull requests
4 participants
@dlemstra @nohmask @urban-warrior @SuhwanSong