Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow at MagickCore/pixel-accessor.h:116:10 in GetPixelChannel #1610

Closed
3 tasks done
SuhwanSong opened this issue Jun 21, 2019 · 6 comments
Closed
3 tasks done
Labels
Milestone

Comments

@SuhwanSong
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There's a heap-buffer-overflow at MagickCore/pixel-accessor.h:116:10 in GetPixelChannel.

Steps to Reproduce

run_cmd:
magick -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median tmp

Here's ASAN log.

==30168==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7febb7ba1400 at pc 0x7febc5808632 bp 0x7ffd269baff0 sp 0x7ffd269bafe8
READ of size 4 at 0x7febb7ba1400 thread T0
    #0 0x7febc5808631 in GetPixelChannel ./MagickCore/pixel-accessor.h:116:10
    #1 0x7febc5805ff6 in EvaluateImages MagickCore/statistic.c:587:33
    #2 0x7febc4e1a5bf in CLIListOperatorImages MagickWand/operation.c:4084:22
    #3 0x7febc4e2435e in CLIOption MagickWand/operation.c:5279:14
    #4 0x7febc4c65a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #5 0x7febc4c66d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #6 0x7febc4cb0ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #7 0x526f95 in MagickMain utilities/magick.c:149:10
    #8 0x5268e1 in main utilities/magick.c:180:10
    #9 0x7febbf727b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x41b069 in _start (install/bin/magick+0x41b069)

0x7febb7ba1400 is located 0 bytes to the right of 248832-byte region [0x7febb7b64800,0x7febb7ba1400)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7febc569fed6 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7febc53e861c in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0x7febc53ee901 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0x7febc53f4bc9 in SyncImagePixelCache MagickCore/cache.c:5488:28
    #5 0x7febc5653831 in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0x7febc54187e2 in AcquireImageColormap MagickCore/colormap.c:144:10
    #7 0x7febc575d137 in AssignImageColors MagickCore/quantize.c:514:7
    #8 0x7febc5753f38 in QuantizeImage MagickCore/quantize.c:2724:14
    #9 0x7febc53ae56c in SetImageType MagickCore/attribute.c:1495:14
    #10 0x7febc4e0cace in CLISimpleOperatorImage MagickWand/operation.c:2792:18
    #11 0x7febc4dfec78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x7febc4e24315 in CLIOption MagickWand/operation.c:5273:16
    #13 0x7febc4c65a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x7febc4c66d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x7febc4cb0ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x526f95 in MagickMain utilities/magick.c:149:10
    #17 0x5268e1 in main utilities/magick.c:180:10
    #18 0x7febbf727b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow ./MagickCore/pixel-accessor.h:116:10 in GetPixelChannel

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-21 https://imagemagick.org

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information:
    CC=clang-7 CXX=clang++-7 ./configure --disable-openmp

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13299.

@Kirill200889
Copy link

Hi, I noticed that the fixing commit isn't included in the releases, only in master. All versions are still valnurable if I download the files from GitHub?

@urban-warrior
Copy link
Contributor

The patch is in the current release. Download the latest release, run your POC, if it fails, let us know.

@Kirill200889
Copy link

I can't uderstand something
This issue fixed by 8187d2d
and 1611 issue fixed by d4fc44b
These two commits together cancel each other at "MagickCore/pixel-accessor.h"
so it means this issue 1610 never fixed?

@urban-warrior
Copy link
Contributor

The POC is no longer triggered suggesting our patch mitigated the vulnerability and the issue is fixed. Can you still reproduce the problem in the latest releases of ImageMagick?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants