Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow at MagickCore/pixel-accessor.h:804:56 in SetPixelViaPixelInfo #1611

Closed
3 tasks done
SuhwanSong opened this issue Jun 21, 2019 · 2 comments
Closed
3 tasks done
Labels
Milestone

Comments

@SuhwanSong
Copy link

SuhwanSong commented Jun 21, 2019

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There's a heap-buffer-overflow at MagickCore/pixel-accessor.h:804:56 in SetPixelViaPixelInfo.

Steps to Reproduce

run_cmd:
magick -seed 0 "(" magick:netscape -random-threshold 66x4 -resize 72%+20-45 ")" "(" magick:netscape -shear 40 -enhance ")" tmp

Here's ASAN log.

=================================================================
==6928==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7faaff40fa80 at pc 0x7fab0dddcb45 bp 0x7fff3e3ee2b0 sp 0x7fff3e3ee2a8
WRITE of size 4 at 0x7faaff40fa80 thread T0
    #0 0x7fab0dddcb44 in SetPixelViaPixelInfo ./MagickCore/pixel-accessor.h:804:56
    #1 0x7fab0ddf1234 in EnhanceImage MagickCore/enhance.c:1976:7
    #2 0x7fab0d63a171 in CLISimpleOperatorImage MagickWand/operation.c:2284:21
    #3 0x7fab0d632c78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #4 0x7fab0d658315 in CLIOption MagickWand/operation.c:5273:16
    #5 0x7fab0d499a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #6 0x7fab0d49ad0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #7 0x7fab0d4e4ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #8 0x526f95 in MagickMain utilities/magick.c:149:10
    #9 0x5268e1 in main utilities/magick.c:180:10
    #10 0x7fab07f5bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x41b069 in _start (install/bin/magick+0x41b069)

0x7faaff40fa80 is located 0 bytes to the right of 905856-byte region [0x7faaff332800,0x7faaff40fa80)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7fab0ded3ed6 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7fab0dc1c61c in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0x7fab0dc22901 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0x7fab0dc28bc9 in SyncImagePixelCache MagickCore/cache.c:5488:28
    #5 0x7fab0de87831 in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0x7fab0dde375f in EnhanceImage MagickCore/enhance.c:1891:7
    #7 0x7fab0d63a171 in CLISimpleOperatorImage MagickWand/operation.c:2284:21
    #8 0x7fab0d632c78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #9 0x7fab0d658315 in CLIOption MagickWand/operation.c:5273:16
    #10 0x7fab0d499a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #11 0x7fab0d49ad0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #12 0x7fab0d4e4ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #13 0x526f95 in MagickMain utilities/magick.c:149:10
    #14 0x5268e1 in main utilities/magick.c:180:10
    #15 0x7fab07f5bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow ./MagickCore/pixel-accessor.h:804:56 in SetPixelViaPixelInfo

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-21 https://imagemagick.org

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information:
    CC=clang-7 CXX=clang++-7 ./configure --disable-openmp

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jun 22, 2019
@dlemstra dlemstra added this to the 7.0.8-50 milestone Jun 22, 2019
@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13298.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants