stack-buffer-overflow at coders/pnm.c:1762 in WritePNMImage

[SuhwanSong]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

There's a stack buffer overflow at coders/pnm.c:1762 in WritePNMImage.

Steps to Reproduce

run_cmd:
magick -seed 0 -render "(" magick:rose -sample 846x913^+16+22 -white-threshold 112 ")" -compress None -adjoin tmp

Here's ASAN log.

=================================================================
==9828==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc293daa0 at pc 0x7f71ad7e3477 bp 0x7ffcc293a0f0 sp 0x7ffcc293a0e8
WRITE of size 1 at 0x7ffcc293daa0 thread T0
    #0 0x7f71ad7e3476 in WritePNMImage coders/pnm.c:1762:21
    #1 0x7f71ad07c065 in WriteImage MagickCore/constitute.c:1159:16
    #2 0x7f71ad07cf8c in WriteImages MagickCore/constitute.c:1376:13
    #3 0x7f71aca4050d in CLINoImageOperator MagickWand/operation.c:4796:14
    #4 0x7f71aca441cc in CLIOption MagickWand/operation.c:5258:7
    #5 0x7f71ac885f6d in ProcessCommandOptions MagickWand/magick-cli.c:529:3
    #6 0x7f71ac886d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #7 0x7f71ac8d0ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #8 0x526f95 in MagickMain utilities/magick.c:149:10
    #9 0x5268e1 in main utilities/magick.c:180:10
    #10 0x7f71a7347b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x41b069 in _start (install/bin/magick+0x41b069)

Address 0x7ffcc293daa0 is located in stack of thread T0 at offset 14752 in frame
    #0 0x7f71ad7e1daf in WritePNMImage coders/pnm.c:1522

  This frame has 6 object(s):
    [32, 4128) 'buffer' (line 1523)
    [4256, 8352) 'magick' (line 1523)
    [8480, 12576) 'type117' (line 1675)
    [12704, 14752) 'pixels' (line 1736) <== Memory access at offset 14752 overflows this variable
    [14880, 16928) 'pixels255' (line 1788)
    [17056, 19104) 'pixels381' (line 1857)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow coders/pnm.c:1762:21 in WritePNMImage

System Configuration

• ImageMagick version:
  Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-21 https://imagemagick.org

• Environment (Operating system, version and so on):
  Description: Ubuntu 18.04.1 LTS
  Release: 18.04
  Codename: bionic

• Additional information:
  CC=clang-7 CXX=clang++-7 ./configure --disable-openmp

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2019-13304.

[hlef]

FYI, there are still quite a few similar one-byte stack-buffer-overflows in this file, e.g.

• https://github.com/ImageMagick/ImageMagick6/blob/master/coders/pnm.c#L1777
• https://github.com/ImageMagick/ImageMagick6/blob/master/coders/pnm.c#L1790
• https://github.com/ImageMagick/ImageMagick6/blob/master/coders/pnm.c#L1846

We are not guaranteed to have enough place in the buffer before writing these \n.

Those are minor issues, no need to request CVE identifiers.

Should I open a separate bug report?

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.