ImageMagick heap-buffer-overflow on ps.c #1644
Comments
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow. |
urban-warrior
pushed a commit
that referenced
this issue
Jul 22, 2019
urban-warrior
pushed a commit
to ImageMagick/ImageMagick6
that referenced
this issue
Jul 22, 2019
|
Thanks, please apply for a cve number for this issue |
|
We're a small open-source development team. We count on our users to apply for CVE #'s so we can concentrate on development issues. |
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
Aug 9, 2019
Fixes ImageMagick/ImageMagick#1641 (no CVE id yet) ImageMagick/ImageMagick#1644 (no CVE id yet) Removed patch included in version 7.0.8-54. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Aug 25, 2019
2019-08-10 7.0.8-60 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-60, GIT revision 16020:52ff205:20190810.
2019-08-07 7.0.8-60 Cristy <quetzlzacatenango@image...>
* Enable reading EXR image file from stdin.
2019-08-04 7.0.8-59 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-59, GIT revision 15986:c3de0e7:20190804.
2019-08-01 7.0.8-59 Cristy <quetzlzacatenango@image...>
* Module is a reserved keyword for C++ 20 (reference
ImageMagick/ImageMagick#1650).
2019-07-29 7.0.8-58 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-58, GIT revision 15962:cf00632:20190729.
2019-07-27 7.0.8-58 Cristy <quetzlzacatenango@image...>
* Improve GetNextToken() performance.
2019-07-26 7.0.8-57 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-57, GIT revision 15948:8fba4a3:20190726.
2019-07-22 7.0.8-57 Cristy <quetzlzacatenango@image...>
* Heap-buffer-overflow in Postscript coder (reference
ImageMagick/ImageMagick#1644).
* The -alpha shape option nondeteministic under OpenMP (reference
https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=36396).
* Correction to the ModulusAdd and ModulusSubtract composite op (reference
https://imagemagick.org/discourse-server/viewtopic.php?f=2&t=36413).
2019-07-20 7.0.8-56 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.8-56, GIT revision 15936:2ac4147:20190720.
2019-07-20 7.0.8-56 Cristy <quetzlzacatenango@image...>
* Unexpected -alpha shape results (reference
https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=36396).
* Converting from PDF to PBM inverts the image (reference
ImageMagick/ImageMagick#1643).
woodsts
pushed a commit
to woodsts/buildroot
that referenced
this issue
Sep 2, 2019
Fixes ImageMagick/ImageMagick#1641 (no CVE id yet) ImageMagick/ImageMagick#1644 (no CVE id yet) Removed patch included in version 7.0.8-54. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e9811b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts
pushed a commit
to woodsts/buildroot
that referenced
this issue
Sep 2, 2019
Fixes ImageMagick/ImageMagick#1641 (no CVE id yet) ImageMagick/ImageMagick#1644 (no CVE id yet) Removed patch included in version 7.0.8-54. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit e9811b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
Description
This vulnerability is triggered when parsing a ps file with the convert command.
./utilities/magick convert ./poc /dev/null
poc
Steps to Reproduce
Asan log:
./utilities/magick convert ~/poc /dev/null
==46666==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000c1908 at pc 0x55d814737544 bp 0x7fff64d82790 sp 0x7fff64d82780
WRITE of size 1 at 0x6210000c1908 thread T0
#0 0x55d814737543 in ReadPSInfo coders/ps.c:432
#1 0x55d814738699 in ReadPSImage coders/ps.c:616
#2 0x55d8148a9dbf in ReadImage MagickCore/constitute.c:547
#3 0x55d8148abfdf in ReadImages MagickCore/constitute.c:917
#4 0x55d814bcb342 in ConvertImageCommand MagickWand/convert.c:617
#5 0x55d814d02d44 in MagickCommandGenesis MagickWand/mogrify.c:185
#6 0x55d8144ef013 in MagickMain utilities/magick.c:149
#7 0x55d8144ef1fc in main utilities/magick.c:180
#8 0x7f1052476b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#9 0x55d8144eeae9 in _start (/home/afl/ImageMagick/utilities/magick+0x1c0ae9)
0x6210000c1908 is located 0 bytes to the right of 4104-byte region [0x6210000c0900,0x6210000c1908)
allocated by thread T0 here:
#0 0x7f1053f62612 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98612)
#1 0x55d81452075f in AcquireMagickMemory MagickCore/memory.c:478
#2 0x55d8145207b3 in AcquireQuantumMemory MagickCore/memory.c:551
#3 0x55d8145a1383 in AcquireStringInfo MagickCore/string.c:195
#4 0x55d814737477 in ReadPSInfo coders/ps.c:425
#5 0x55d814738699 in ReadPSImage coders/ps.c:616
#6 0x55d8148a9dbf in ReadImage MagickCore/constitute.c:547
#7 0x55d8148abfdf in ReadImages MagickCore/constitute.c:917
#8 0x55d814bcb342 in ConvertImageCommand MagickWand/convert.c:617
#9 0x55d814d02d44 in MagickCommandGenesis MagickWand/mogrify.c:185
#10 0x55d8144ef013 in MagickMain utilities/magick.c:149
#11 0x55d8144ef1fc in main utilities/magick.c:180
#12 0x7f1052476b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/ps.c:432 ReadPSInfo
Shadow bytes around the buggy address:
0x0c42800102d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800102e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800102f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280010300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280010310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280010320: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280010330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280010340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280010350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280010360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280010370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==46666==ABORTING
System Configuration
ImageMagick version: ImageMagick 7.0.8-57 Q16 x86_64 2019-07-22
Environment (Operating system, version and so on):
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Additional information:
./configure CFLAGS="-fsanitize=address -g" --disable-dependency-tracking --disable-shared
credit: ADLab of Venus.
The text was updated successfully, but these errors were encountered: