Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages #1597

Closed
3 tasks done
SuhwanSong opened this issue Jun 17, 2019 · 2 comments
Closed
3 tasks done
Labels
Milestone

Comments

@SuhwanSong
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There's a heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages.

Steps to Reproduce

run_cmd:
magick -seed 0 -treedepth 71 "(" magick:logo +repage ")" "(" magick:granite -white-threshold 0% -cycle 256 -lat 815 ")" -bordercolor rgb"("101,151,20")" -blue-primary 638,241 -print "0O." -complex multiply tmp

Second one also can trigger.
cmd:
magick -seed 0 "(" magick:logo +repage ")" "(" magick:logo +repage ")" -render -size 2872 -complex multiply -quiet tmp

Here's ASAN result.

==16842==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000a80 at pc 0x7fea5bb0c52f bp 0x7fff5c11c590 sp 0x7fff5c11c588
READ of size 4 at 0x61e000000a80 thread T0
    #0 0x7fea5bb0c52e in ComplexImages MagickCore/fourier.c:305:45
    #1 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x61e000000a80 is located 0 bytes to the right of 2560-byte region [0x61e000000080,0x61e000000a80)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7fea5bbb9666 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7fea5b910d5c in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0x7fea5b8fe1c4 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0x7fea5b8f5b05 in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0x7fea5b913f36 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0x7fea5bb0ae5d in ComplexImages MagickCore/fourier.c:250:8
    #7 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #8 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
    #9 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x526f95 in MagickMain utilities/magick.c:149:10
    #13 0x5268e1 in main utilities/magick.c:180:10
    #14 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:45 in ComplexImages

Here's the ASAN result for second cmd

==16863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2a0831b800 at pc 0x7f2a1747e649 bp 0x7ffd7c094350 sp 0x7ffd7c094348
WRITE of size 4 at 0x7f2a0831b800 thread T0
    #0 0x7f2a1747e648 in ComplexImages MagickCore/fourier.c:305:18
    #1 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x7f2a0831b800 is located 0 bytes to the right of 3686400-byte region [0x7f2a07f97800,0x7f2a0831b800)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7f2a1752b666 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7f2a172746ac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0x7f2a1727a991 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0x7f2a17280c59 in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x7f2a174defc1 in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0x7f2a1747c4f7 in ComplexImages MagickCore/fourier.c:185:7
    #7 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #8 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
    #9 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x526f95 in MagickMain utilities/magick.c:149:10
    #13 0x5268e1 in main utilities/magick.c:180:10
    #14 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:18 in ComplexImages

Thanks.

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-17 https://imagemagick.org

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information:
    CC=clang-7 CXX=clang++-7 ./configure --disable-openmp

@urban-warrior
Copy link
Contributor

urban-warrior commented Jun 17, 2019

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13302.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants