Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow at MagickCore/string.c:853 in DestroyStringInfo #1641

Closed
3 tasks done
007Alice opened this issue Jul 18, 2019 · 2 comments
Closed
3 tasks done

heap-buffer-overflow at MagickCore/string.c:853 in DestroyStringInfo #1641

007Alice opened this issue Jul 18, 2019 · 2 comments

Comments

@007Alice
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There's a heap-buffer-overflow at MagickCore/string.c:853 in DestroyStringInfo.

Steps to Reproduce

poc
run command:
./magick convert poc /dev/null

==29840==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000af68 at pc 0x7f9e79581fab bp 0x7fff303409f0 sp 0x7fff303409e0
READ of size 8 at 0x60400000af68 thread T0
    #0 0x7f9e79581faa in DestroyStringInfo MagickCore/string.c:853
    #1 0x7f9e7985ebaf in ReadJPEGImage coders/jpeg.c:1198
    #2 0x7f9e7929dbba in ReadImage MagickCore/constitute.c:547
    #3 0x7f9e7929fde0 in ReadImages MagickCore/constitute.c:917
    #4 0x7f9e78aab965 in ConvertImageCommand MagickWand/convert.c:617
    #5 0x7f9e78c3d9a6 in MagickCommandGenesis MagickWand/mogrify.c:185
    #6 0x4017d1 in MagickMain utilities/magick.c:149
    #7 0x4019b2 in main utilities/magick.c:180
    #8 0x7f9e783c982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4012e8 in _start (/home/ImageMagick/utilities/.libs/lt-magick+0x4012e8)

0x60400000af68 is located 24 bytes inside of 40-byte region [0x60400000af50,0x60400000af78)
freed by thread T0 here:
    #0 0x7f9e79ed42ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7f9e7945cfac in RelinquishMagickMemory MagickCore/memory.c:1074
    #2 0x7f9e7958216e in DestroyStringInfo MagickCore/string.c:862
    #3 0x7f9e7985b93c in ReadICCProfile coders/jpeg.c:570
    #4 0x7f9e77373954  (/usr/lib/x86_64-linux-gnu/libjpeg.so.8+0x20954)

previously allocated by thread T0 here:
    #0 0x7f9e79ed4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f9e7945c056 in AcquireMagickMemory MagickCore/memory.c:478
    #2 0x7f9e7957fb60 in AcquireCriticalMemory MagickCore/memory-private.h:64
    #3 0x7f9e7957ff57 in AcquireStringInfoContainer MagickCore/string.c:181
    #4 0x7f9e7958029d in BlobToStringInfo MagickCore/string.c:236
    #5 0x7f9e7985b7ec in ReadICCProfile coders/jpeg.c:549
    #6 0x7f9e77373954  (/usr/lib/x86_64-linux-gnu/libjpeg.so.8+0x20954)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/string.c:853 DestroyStringInfo
Shadow bytes around the buggy address:
  0x0c087fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff95e0: fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]fd fa
  0x0c087fff95f0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
  0x0c087fff9600: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 05
  0x0c087fff9610: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 05

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/string.c:853 DestroyStringInfo
Shadow bytes around the buggy address:
  0x0c087fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff95e0: fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]fd fa
  0x0c087fff95f0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
  0x0c087fff9600: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 05
  0x0c087fff9610: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 05
    #4 0x7f9e78aab965 in ConvertImageCommand MagickWand/convert.c:617
    #5 0x7f9e78c3d9a6 in MagickCommandGenesis MagickWand/mogrify.c:185
    #6 0x4017d1 in MagickMain utilities/magick.c:149
    #7 0x4019b2 in main utilities/magick.c:180
    #8 0x7f9e783c982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4012e8 in _start (/home/ImageMagick/utilities/.libs/lt-magick+0x4012e8)

0x60400000af68 is located 24 bytes inside of 40-byte region [0x60400000af50,0x60400000af78)
freed by thread T0 here:
    #0 0x7f9e79ed42ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7f9e7945cfac in RelinquishMagickMemory MagickCore/memory.c:1074
    #2 0x7f9e7958216e in DestroyStringInfo MagickCore/string.c:862
    #3 0x7f9e7985b93c in ReadICCProfile coders/jpeg.c:570
    #4 0x7f9e77373954  (/usr/lib/x86_64-linux-gnu/libjpeg.so.8+0x20954)

previously allocated by thread T0 here:
    #0 0x7f9e79ed4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f9e7945c056 in AcquireMagickMemory MagickCore/memory.c:478
    #2 0x7f9e7957fb60 in AcquireCriticalMemory MagickCore/memory-private.h:64
    #3 0x7f9e7957ff57 in AcquireStringInfoContainer MagickCore/string.c:181
    #4 0x7f9e7958029d in BlobToStringInfo MagickCore/string.c:236
    #5 0x7f9e7985b7ec in ReadICCProfile coders/jpeg.c:549
    #6 0x7f9e77373954  (/usr/lib/x86_64-linux-gnu/libjpeg.so.8+0x20954)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/string.c:853 DestroyStringInfo
Shadow bytes around the buggy address:
  0x0c087fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff95e0: fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]fd fa
  0x0c087fff95f0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
  0x0c087fff9600: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 05
  0x0c087fff9610: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 05
  0x0c087fff9620: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 fa
  0x0c087fff9630: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29840==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-54 Q16 x86_64 2019-07-18 https://imagemagick.org
    Copyright: © 1999-2019 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP(4.0)
    Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff webp wmf x xml zlib

  • Environment (Operating system, version and so on):
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.6 LTS
    Release: 16.04
    Codename: xenial

  • Additional information:

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jul 18, 2019
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 20, 2019
2019-07-18  7.0.8-55 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-55, GIT revision 15930:ac09240:20190718.

2019-07-18  7.0.8-55 Cristy  <quetzlzacatenango@image...>
  * Heap-buffer overflow (reference
    ImageMagick/ImageMagick#1641
  * PerlMagick test suite passes again (reference
    ImageMagick/ImageMagick#1640)
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Aug 9, 2019
Fixes
ImageMagick/ImageMagick#1641 (no CVE id yet)
ImageMagick/ImageMagick#1644 (no CVE id yet)

Removed patch included in version 7.0.8-54.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
woodsts pushed a commit to woodsts/buildroot that referenced this issue Sep 2, 2019
Fixes
ImageMagick/ImageMagick#1641 (no CVE id yet)
ImageMagick/ImageMagick#1644 (no CVE id yet)

Removed patch included in version 7.0.8-54.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e9811b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts pushed a commit to woodsts/buildroot that referenced this issue Sep 2, 2019
Fixes
ImageMagick/ImageMagick#1641 (no CVE id yet)
ImageMagick/ImageMagick#1644 (no CVE id yet)

Removed patch included in version 7.0.8-54.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e9811b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
@007Alice
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants