heap-buffer-overflow in MagickCore/composite.c:666:45 in CompositeImage

[SuhwanSong]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

There's a heap-buffer-overflow in MagickCore/composite.c:666:45 in CompositeImage.
I compiled ImageMagick with --disable-openmp option.

Steps to Reproduce

run_cmd:
magick -seed 0 -sampling-factor 3.307x3.198 "(" magick:granite +repage ")" "(" magick:rose +repage ")" "(" magick:rose +repage ")" -encoding AdobeStandard -extract 285x52^-70-70 -region 75x310-64-51 -evaluate-sequence Min -layers compare-overlay tmp

and run this cmd:
magick -seed 0 "(" magick:logo -region 306%-74-69 -lat 886 ")" "(" magick:netscape -level 64 ")" "(" magick:granite -opaque rgb"("12,57,57")" -modulate 94,59,3 -frame 4%-82+23 ")" -comment "B>%C%o" -style Any -layers compare-any tmp

Here's ASAN result.

==5479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000008900 at pc 0x7f9c528f0e7d bp 0x7ffd8cc41710 sp 0x7ffd8cc41708
READ of size 4 at 0x626000008900 thread T0
    #0 0x7f9c528f0e7c in CompositeImage MagickCore/composite.c:666:45
    #1 0x7f9c52b23aa0 in CompareImagesLayers MagickCore/layer.c:792:10
    #2 0x7f9c522d035c in CLIListOperatorImages MagickWand/operation.c:4199:26
    #3 0x7f9c522d934e in CLIOption MagickWand/operation.c:5276:14
    #4 0x7f9c5211aa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #5 0x7f9c5211bd0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #6 0x7f9c52165ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #7 0x526f95 in MagickMain utilities/magick.c:149:10
    #8 0x5268e1 in main utilities/magick.c:180:10
    #9 0x7f9c4cbdcb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x41b069 in _start (install/bin/magick+0x41b069)

0x626000008900 is located 0 bytes to the right of 10240-byte region [0x626000006100,0x626000008900)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7f9c52b54f66 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7f9c528abd5c in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0x7f9c528991c4 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0x7f9c52890b05 in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0x7f9c528aef36 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0x7f9c528f0bae in CompositeImage MagickCore/composite.c:637:11
    #7 0x7f9c52b23aa0 in CompareImagesLayers MagickCore/layer.c:792:10
    #8 0x7f9c522d035c in CLIListOperatorImages MagickWand/operation.c:4199:26
    #9 0x7f9c522d934e in CLIOption MagickWand/operation.c:5276:14
    #10 0x7f9c5211aa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #11 0x7f9c5211bd0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #12 0x7f9c52165ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #13 0x526f95 in MagickMain utilities/magick.c:149:10
    #14 0x5268e1 in main utilities/magick.c:180:10
    #15 0x7f9c4cbdcb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/composite.c:666:45 in CompositeImage

System Configuration

• ImageMagick version:
  Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-18 https://imagemagick.org

• Environment (Operating system, version and so on):
  Description: Ubuntu 18.04.1 LTS
  Release: 18.04
  Codename: bionic

• Additional information:
  CC=clang-7 CXX=clang++-7 ./configure --disable-openmp

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2019-13303.