Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in MagickCore/fourier.c:299:18 in ComplexImage #1595

Closed
3 tasks done
SuhwanSong opened this issue Jun 17, 2019 · 3 comments
Closed
3 tasks done

heap-buffer-overflow in MagickCore/fourier.c:299:18 in ComplexImage #1595

SuhwanSong opened this issue Jun 17, 2019 · 3 comments
Labels
bug
Milestone
7.0.8-50

Comments

@SuhwanSong
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There's a heap-buffer-overflow in MagickCore/fourier.c:299:18 in ComplexImage, and I compiled the lasted version with --disable-openmp option.

Steps to Reproduce

run cmd:
magick -seed 0 -mattecolor rgb"("225,230,14")" -debug Configure "(" magick:wizard +repage ")" "(" magick:netscape +repage ")" -fuzz 82 -caption "j$Y%Be" -blue-primary 727,475 -crop 405%-43-16 -crop 832x886>+11-13 -complex magnitude-phase tmp

and also this command
magick -seed 0 "(" magick:netscape +repage ")" "(" magick:wizard -resample 24x44 -resample 47x83 ")" "(" magick:netscape -charcoal 4 -random-threshold 42x71 -shade 81x21 ")" -complex magnitude-phase tmp112

Here's ASAN result.

==9231==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd97efce800 at pc 0x7fd98dbdd221 bp 0x7ffff99e9790 sp 0x7ffff99e9788
WRITE of size 4 at 0x7fd97efce800 thread T0
    #0 0x7fd98dbdd220 in ComplexImages MagickCore/fourier.c:299:18
    #1 0x7fd98d4038c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7fd98d40f34e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7fd98d250a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7fd98d251d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7fd98d29bba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7fd987d12b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x7fd97efce800 is located 0 bytes to the right of 3686400-byte region [0x7fd97ec4a800,0x7fd97efce800)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7fd98dc8a666 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7fd98d9d36ac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0x7fd98d9d9991 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0x7fd98d9dfc59 in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x7fd98dc3dfc1 in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0x7fd98dbdb4f7 in ComplexImages MagickCore/fourier.c:185:7
    #7 0x7fd98d4038c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #8 0x7fd98d40f34e in CLIOption MagickWand/operation.c:5276:14
    #9 0x7fd98d250a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x7fd98d251d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x7fd98d29bba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x526f95 in MagickMain utilities/magick.c:149:10
    #13 0x5268e1 in main utilities/magick.c:180:10
    #14 0x7fd987d12b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:299:18 in ComplexImages

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-17 https://imagemagick.org

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information:
    CC=clang-7 CXX=clang++-7 ./configure --disable-openmp
@SuhwanSong SuhwanSong mentioned this issue Jun 17, 2019
Closed
3 tasks
urban-warrior pushed a commit that referenced this issue Jun 17, 2019
https://github.com/ImageMagick/ImageMagick/issues/1595
6113500
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jun 17, 2019
https://github.com/ImageMagick/ImageMagick/issues/1595
19651f3
@urban-warrior
Copy link
Member

urban-warrior commented Jun 17, 2019
edited

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jun 26, 2019
@dlemstra dlemstra added this to the 7.0.8-50 milestone Jun 26, 2019
@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13308.

@hlef
Copy link

hlef commented Aug 13, 2019

I wonder... in ImageMagick/ImageMagick6@19651f3 why is this change

-          if (images->matte != MagickFalse)
+          if (Cr_image->matte != MagickFalse)

only applied to SubtractComplexOperator and not to other operators such as RealImaginaryComplexOperator or MultiplyComplexOperator? Is this intentional?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
7.0.8-50
Development

No branches or pull requests
5 participants
@hlef @dlemstra @nohmask @urban-warrior @SuhwanSong