Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in MagickCore/fourier.c #1588

Closed
SuhwanSong opened this issue Jun 11, 2019 · 7 comments

Comments

@SuhwanSong
Copy link

commented Jun 11, 2019

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap buffer overflow in MagickCore/fourier.c:314:19 in .omp_outlined.debug_

Heap buffer overflow sometimes occur. To trigger this bug, please run the command for several times.

Steps to Reproduce

run cmd:
magick "-seed" "0" "-black-point-compensation" "-fuzz" "238" "(" "magick:logo" "-normalize" "-cycle" "615" ")" "(" "magick:rose" "-gaussian-blur" "4" ")" "(" "magick:granite" "-convolve" "207,117,126,202,52,59,196,21,46,216,32,49,172,14,116,115,203,20,219,21,194,58,155,117,148,208,229,218,151,151,171,239,212,207,77,212,81,32,23,137,63,164,67,85,47,13,85,96,85,86,244,168,218,41,98,108,208,221,77,5,45,117,102,5,89,150,47,36,214,0,20,255,14,83,77,191,109,40,32,245,112" ")" "-strokewidth" "58" "-complex" "subtract" "-layers" "compare-overlay" ""

ASAN log about heap buffer over-flow.

==18953==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000020200 at pc 0x0000014f4b4e bp 0x7fa64464bc30 sp 0x7fa64464bc28
READ of size 4 at 0x619000020200 thread T2
    #0 0x14f4b4d in .omp_outlined._debug__ MagickCore/fourier.c:314:19
    #1 0x14f56cc in .omp_outlined. MagickCore/fourier.c:231:3
    #2 0x7fa64f983452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7fa64f93d1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7fa64f93bb20  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
    #5 0x7fa64f97b417  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
    #6 0x7fa651fb76da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #7 0x7fa64f41f88e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x619000020200 is located 0 bytes to the right of 896-byte region [0x61900001fe80,0x619000020200)
allocated by thread T2 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0x14f2984 in .omp_outlined._debug__ MagickCore/fourier.c:249:8
    #7 0x14f56cc in .omp_outlined. MagickCore/fourier.c:231:3
    #8 0x7fa64f983452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #9 0x7fa64f93d1b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)

Thread T2 created by T0 here:
    #0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
    #1 0x7fa64f979110  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:314:19 in .omp_outlined._debug__

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information: CC=clang-7 CXX=clang++-7

@fmw42

This comment has been minimized.

Copy link

commented Jun 11, 2019

I am not sure what you are trying to do, but -complex requires FFT input. I do not see either -fft or +fft in your command line.

@SuhwanSong

This comment has been minimized.

Copy link
Author

commented Jun 11, 2019

I am not sure what you are trying to do, but -complex requires FFT input. I do not see either -fft or +fft in your command line.

@fmw42
It's not a valid input, but I think these bugs can lead to attacks. If arguments are invalid, I think the program should be terminated at the beginning not to generate bugs including heap overflows, use-after-free and so on.

@SuhwanSong SuhwanSong changed the title heap-buffer-overflow in MagickCore/fourier.c or heap-use-after-free in MagickCore/cache.c heap-buffer-overflow in MagickCore/fourier.c Jun 11, 2019

@SuhwanSong

This comment has been minimized.

Copy link
Author

commented Jun 16, 2019

I followed this comment, and I found this bug still exists with --disable-openmp option.

I ran the same command I've reported in this issue, and I got the similar log from ASAN.
There's a heap-buffer-overflow in ComplexImages MagickCore/fourier.c:314:19 without openmp.
(when with openmp, it was MagickCore/fourier.c:314:19 in .omp_outlined.debug_ )

==6302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000027b00 at pc 0x7f1eac78598b bp 0x7fff9050fd70 sp 0x7fff9050fd68
READ of size 4 at 0x62d000027b00 thread T0
    #0 0x7f1eac78598a in ComplexImages MagickCore/fourier.c:314:19
    #1 0x7f1eabfab8c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7f1eabfb734e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7f1eabdf8a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7f1eabdf9d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7f1eabe43ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7f1ea68bab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x62d000027b00 is located 0 bytes to the right of 38656-byte region [0x62d00001e400,0x62d000027b00)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7f1eac8321f6 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7f1eac57b5ec in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0x7f1eac5816de in GetImagePixelCache MagickCore/cache.c:1724:18
    #4 0x7f1eac587b99 in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x7f1eac7e5b71 in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0x7f1eac8571b1 in MorphologyApply MagickCore/morphology.c:3928:19
    #7 0x7f1eac860f1e in MorphologyImage MagickCore/morphology.c:4210:22
    #8 0x7f1eac721abb in ConvolveImage MagickCore/effect.c:842:18
    #9 0x7f1eac724bdb in GaussianBlurImage MagickCore/effect.c:1397:14
    #10 0x7f1eabf9af4b in CLISimpleOperatorImage MagickWand/operation.c:2435:21
    #11 0x7f1eabf91c78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x7f1eabfb7305 in CLIOption MagickWand/operation.c:5270:16
    #13 0x7f1eabdf8a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x7f1eabdf9d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x7f1eabe43ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x526f95 in MagickMain utilities/magick.c:149:10
    #17 0x5268e1 in main utilities/magick.c:180:10
    #18 0x7f1ea68bab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:314:19 in ComplexImages

and I also found a command to trigger similar bug in the program

run cmd:
magick "-black-point-compensation" "-antialias" "(" "magick:netscape" "-white-threshold" "204" "-preview" "JPEG" "-random-threshold" "78x27" ")" "(" "magick:granite" "-colorize" "63,65,103" ")" "(" "magick:netscape" "-tint" "39%" "-frame" "129@-1-33" "-negate" ")" "-orient" "right-bottom" "-black-point-compensation" "-complex" "subtract" "-layers" "compare-overlay" ""

Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-16 https://imagemagick.org

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2019

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit that referenced this issue Jun 16, 2019

Cristy

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jun 16, 2019

@SuhwanSong

This comment has been minimized.

Copy link
Author

commented Jun 17, 2019

@urban-warrior
Thanks for patching.
but I found this cmd still triggers bug.

magick "-seed" "0" "-black-point-compensation" "-fuzz" "238" "(" "magick:logo" "-normalize" "-cycle" "615" ")" "(" "magick:rose" "-gaussian-blur" "4" ")" "(" "magick:granite" "-convolve" "207,117,126,202,52,59,196,21,46,216,32,49,172,14,116,115,203,20,219,21,194,58,155,117,148,208,229,218,151,151,171,239,212,207,77,212,81,32,23,137,63,164,67,85,47,13,85,96,85,86,244,168,218,41,98,108,208,221,77,5,45,117,102,5,89,150,47,36,214,0,20,255,14,83,77,191,109,40,32,245,112" ")" "-strokewidth" "58" "-complex" "subtract" "-layers" "compare-overlay" ""

==8895==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400000ff00 at pc 0x7fa34ea0bddf bp 0x7fff3bc79b90 sp 0x7fff3bc79b88
READ of size 4 at 0x62400000ff00 thread T0
    #0 0x7fa34ea0bdde in ComplexImages MagickCore/fourier.c:318:19
    #1 0x7fa34e2318c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7fa34e23d34e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7fa34e07ea99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7fa34e07fd0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7fa34e0c9ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7fa348b40b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x62400000ff00 is located 0 bytes to the right of 7680-byte region [0x62400000e100,0x62400000ff00)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7fa34eab8666 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7fa34e80fd5c in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0x7fa34e7fd1c4 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0x7fa34e7f4b05 in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0x7fa34e812f36 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0x7fa34ea09e5d in ComplexImages MagickCore/fourier.c:250:8
    #7 0x7fa34e2318c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #8 0x7fa34e23d34e in CLIOption MagickWand/operation.c:5276:14
    #9 0x7fa34e07ea99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x7fa34e07fd0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x7fa34e0c9ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x526f95 in MagickMain utilities/magick.c:149:10
    #13 0x5268e1 in main utilities/magick.c:180:10
    #14 0x7fa348b40b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:318:19 in ComplexImages

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2019

We cannot reproduce the heap buffer overflow with the latest ImageMagick source from the trunk.

@dlemstra dlemstra closed this Jun 26, 2019

@nohmask

This comment has been minimized.

Copy link

commented Jul 8, 2019

This was assigned CVE-2019-13391.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 19, 2019

ImageMagick: Update to 7.0.8-54
This update contains a number of security fixes.

2019-07-16  7.0.8-54 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-54, GIT revision 15916:e868e22:20190716.

2019-07-08  7.0.8-54 Cristy  <quetzlzacatenango@image...>
   * resolve division by zero  (reference
     ImageMagick/ImageMagick#1629).
   * introducing MagickLevelImageColors() MagickWand method.
  * Transient problem with text placement with gravity (reference
    ImageMagick/ImageMagick#1633).
  * Support TIM2 image format (reference
    ImageMagick/ImageMagick#1571).
  * For -magnify option, specify an alternative scaling method with -define
	  magnify:method=method, choose from these methods: eagle2X, eagle3X,
    eagle3XB, epb2X, fish2X, hq2X,  scale2X (default), scale3X, xbr2X.

2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-53, GIT revision 15828:f5d59c0:20190705.

2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
   * Fix -fx parsing issue (reference
     https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=36314).

2019-07-05  7.0.8-52 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-52, GIT revision 15825:ea47310:20190705.

2019-07-01  7.0.8-52 Cristy  <quetzlzacatenango@image...>
  * Eliminate buffer overflow in TranslateEvent() (reference
    ImageMagick/ImageMagick#1621).

2019-06-30  7.0.8-51 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-51, GIT revision 15812:51f11c4:20190630.

2019-06-24  7.0.8-51 Cristy  <quetzlzacatenango@image...>
  * Clone rather than copy X window name/icon.
  * Optimize PDF reader.

2019-06-23  7.0.8-50 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-50, GIT revision 15778:4a60519:20190623

2019-06-14  7.0.8-50 Dirk Lemstra <dirk@lem.....org>
  * Added support for reading all images from a HEIC image (reference
    ImageMagick/ImageMagick#1391).
  * Heap-buffer-overflow in MagickCore/fourier.c (reference
   ImageMagick/ImageMagick#1588).
  * Fixed a number of issues (reference
    https://imagemagick.org/discourse-server/viewforum.php?f=3).
  * Fixed a number of issues (reference
    https://github.com/ImageMagick/ImageMagick/issues).

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 23, 2019

Pullup ticket #6007 - requested by nia
graphics/ImageMagick: security fix

Revisions pulled up:
- graphics/ImageMagick/Makefile.common                          1.191
- graphics/ImageMagick/distinfo                                 1.208

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Fri Jul 19 09:12:13 UTC 2019

   Modified Files:
   	pkgsrc/graphics/ImageMagick: Makefile.common distinfo

   Log Message:
   ImageMagick: Update to 7.0.8-54

   This update contains a number of security fixes.

   2019-07-16  7.0.8-54 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-54, GIT revision 15916:e868e22:20190716.

   2019-07-08  7.0.8-54 Cristy  <quetzlzacatenango@image...>
      * resolve division by zero  (reference
        ImageMagick/ImageMagick#1629).
      * introducing MagickLevelImageColors() MagickWand method.
     * Transient problem with text placement with gravity (reference
       ImageMagick/ImageMagick#1633).
     * Support TIM2 image format (reference
       ImageMagick/ImageMagick#1571).
     * For -magnify option, specify an alternative scaling method with -define
   	  magnify:method=method, choose from these methods: eagle2X, eagle3X,
       eagle3XB, epb2X, fish2X, hq2X,  scale2X (default), scale3X, xbr2X.

   2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-53, GIT revision 15828:f5d59c0:20190705.

   2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
      * Fix -fx parsing issue (reference
        https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=36314).

   2019-07-05  7.0.8-52 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-52, GIT revision 15825:ea47310:20190705.

   2019-07-01  7.0.8-52 Cristy  <quetzlzacatenango@image...>
     * Eliminate buffer overflow in TranslateEvent() (reference
       ImageMagick/ImageMagick#1621).

   2019-06-30  7.0.8-51 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-51, GIT revision 15812:51f11c4:20190630.

   2019-06-24  7.0.8-51 Cristy  <quetzlzacatenango@image...>
     * Clone rather than copy X window name/icon.
     * Optimize PDF reader.

   2019-06-23  7.0.8-50 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-50, GIT revision 15778:4a60519:20190623

   2019-06-14  7.0.8-50 Dirk Lemstra <dirk@lem.....org>
     * Added support for reading all images from a HEIC image (reference
       ImageMagick/ImageMagick#1391).
     * Heap-buffer-overflow in MagickCore/fourier.c (reference
      ImageMagick/ImageMagick#1588).
     * Fixed a number of issues (reference
       https://imagemagick.org/discourse-server/viewforum.php?f=3).
     * Fixed a number of issues (reference
       https://github.com/ImageMagick/ImageMagick/issues).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.