Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-based buffer overflow in IsPixelMonochrome (pixel-accessor.h) #272

Closed
asarubbo opened this issue Sep 14, 2016 · 15 comments
Closed

heap-based buffer overflow in IsPixelMonochrome (pixel-accessor.h) #272

asarubbo opened this issue Sep 14, 2016 · 15 comments

Comments

@asarubbo
Copy link

A crafted image causes an heap overflow.
Reproduce with: identify $FILE
I'm attaching the testcase as a zip because of the github's limitation.
Tested on 7.0.3.0

==13198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000fbc0 at pc 0x7f7a28f71a91 bp 0x7fff6820aaa0 sp 0x7fff6820aa98                                                                                                                                      
READ of size 10 at 0x61400000fbc0 thread T0                                                                                                                                                                                                                                    
    #0 0x7f7a28f71a90 in IsPixelMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/./MagickCore/pixel-accessor.h:557:24                                                                                                                            
    #1 0x7f7a28f71a90 in IdentifyImageMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:758                                                                                                                                
    #2 0x7f7a28f71dc6 in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:819:7                                                                                                                                    
    #3 0x7f7a293216ce in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/identify.c:524:8                                                                                                                                         
    #4 0x7f7a28924f86 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:336:22                                                                                                                                 
    #5 0x7f7a289ba26a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14                                                                                                                                  
    #6 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10                                                                                                                                                    
    #7 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176                                                                                                                                                             
    #8 0x7f7a2785e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x419138 in _init (/usr/bin/magick+0x419138)                                                                                                                                                                                                                            

0x61400000fbc0 is located 0 bytes to the right of 384-byte region [0x61400000fa40,0x61400000fbc0)                                                                                                                                                                              
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4c1105 in __interceptor_posix_memalign /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124                                                                                                            
    #1 0x7f7a293cac65 in AcquireAlignedMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:258:7
    #2 0x7f7a28fb8e9d in AcquireCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:4634:33
    #3 0x7f7a28fb8e9d in SetPixelCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:4746
    #4 0x7f7a28fa9f9e in GetVirtualPixelsFromNexus /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:2629:10
    #5 0x7f7a28fd2a5e in GetCacheViewVirtualPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache-view.c:664:10
    #6 0x7f7a28f70e46 in IdentifyImageMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:753:7
    #7 0x7f7a28f71dc6 in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:819:7
    #8 0x7f7a293216ce in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/identify.c:524:8
    #9 0x7f7a28924f86 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:336:22
    #10 0x7f7a289ba26a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #11 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #12 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #13 0x7f7a2785e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/./MagickCore/pixel-accessor.h:557:24 in IsPixelMonochrome
Shadow bytes around the buggy address:
  0x0c287fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9f70: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c287fff9f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13198==ABORTING

6.crashes.zip
@mikayla-grace
Copy link

mikayla-grace commented Sep 14, 2016
edited

Unfortunately we cannot reproduce this exception with ImageMagick 7.0.3-1. With ASAN enabled, we get:

-> identify 6.crashes
6.crashes TIFF 21x1 21x1+0+0 8-bit Grayscale Gray 319B 0.000u 0:00.000
identify: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/905.
identify: Unknown field with tag 3 (0x3) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/905.
identify: Unknown field with tag 512 (0x200) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/905.
identify: IO error during reading of "Software"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/905.
identify: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/905.

@asarubbo
Copy link
Author

Unfortunately we cannot reproduce this exception with ImageMagick 7.0.3-1.

Maybe a different build (compiler,options) is able to hit the crash.
If I can provide more just ask.

@mikayla-grace
Copy link

Post the output of identify -list configure.

@asarubbo
Copy link
Author 

Path: /usr/lib64/ImageMagick-7.0.3//config-Q64HDRI/configure.xml                                                                                                                                                                                                               

Name           Value                                                                                                                                                                                                                                                           
-------------------------------------------------------------------------------                                                                                                                                                                                                
CC             afl-clang                                                                                                                                                                                                                                                       
CFLAGS         -I/usr/include/libxml2  -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16  -pthread -I/usr/include/librsvg-2.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16  -I/usr/include/libpng16   -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16  -pthread -I/usr/include/OpenEXR   -I/usr/include/lqr-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  -I/usr/include/openjpeg-2.1   -I/usr/include/graphviz  -I/usr/include/freetype2  -I/usr/include/freetype2  -pthread      -O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address -Wall -mcpu=no-automagic -fexceptions  -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=64                                                                                                                                                                                                                                               
CODER_PATH     /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders                                                                                                                                                                                                             
CONFIGURE      ./configure  '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/imagemagick-7.0.3.0' '--htmldir=/usr/share/doc/imagemagick-7.0.3.0/html' '--libdir=/usr/lib64' '--disable-static' '--enable-hdri' '--disable-opencl' '--with-threads' '--with-modules' '--with-quantum-depth=64' '--with-magick-plus-plus' '--without-perl' '--with-perl-options=INSTALLDIRS=vendor' '--with-gs-font-dir=/usr/share/fonts/urw-fonts' '--with-bzlib' '--without-x' '--with-zlib' '--without-autotrace' '--with-dps' '--with-djvu' '--with-dejavu-font-dir=/usr/share/fonts/dejavu' '--with-fftw' '--without-fpx' '--with-fontconfig' '--with-freetype' '--with-gslib' '--with-gvc' '--with-jbig' '--with-jpeg' '--with-openjp2' '--with-lcms' '--with-lqr' '--with-lzma' '--with-openexr' '--with-pango' '--with-png' '--with-rsvg' '--with-tiff' '--with-webp' '--with-windows-font-dir=/usr/share/fonts/corefonts' '--with-wmf' '--with-xml' '--disable-openmp' '--with-gcc-arch=no-automagic' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CC=afl-clang' 'CFLAGS=-O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,-z,lazy -fsanitize=address' 'CXX=afl-clang++' 'CXXFLAGS=-O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'                                                                                                                                                                                            
CONFIGURE_PATH /etc/ImageMagick-7/                                                                                                                                                                                                                                             
COPYRIGHT      Copyright (C) 1999-2016 ImageMagick Studio LLC                                                                                                                                                                                                                  
CPPFLAGS       -I/usr/include/ImageMagick-7                                                                                                                                                                                                                                    
CXX            afl-clang++                                                                                                                                                                                                                                                     
CXXFLAGS       -O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address                                                                                                                       
DEFS           -DHAVE_CONFIG_H                                                                                                                                                                                                                                                 
DELEGATES      bzlib djvu mpeg fftw fontconfig freetype gslib jbig jng jpeg lcms lqr lzma openexr openjp2 pango png ps rsvg tiff webp wmf xml zlib                                                                                                                             
DISTCHECK_CONFIG_FLAGS 'CC=afl-clang' 'CFLAGS=-O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address' 'CXX=afl-clang++' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,-z,lazy -fsanitize=address'  --disable-deprecated  --with-quantum-depth=64  --with-jemalloc=no  --with-umem=no  --with-autotrace=no  --with-dejavu-font-dir=/usr/share/fonts/dejavu  --with-fpx=no  --with-fontpath=  --with-gs-font-dir=/usr/share/fonts/urw-fonts  --with-windows-font-dir=/usr/share/fonts/corefonts  --with-perl=no                                                                                                                                                                                                                                 
DOCUMENTATION_PATH /usr/share/doc/ImageMagick-7                                                                                                                                                                                                                                
EXEC-PREFIX    /usr                                                                                                                                                                                                                                                            
EXECUTABLE_PATH /usr/bin                                                                                                                                                                                                                                                       
FEATURES       DPC HDRI Cipher Modules                                                                                                                                                                                                                                         
FILTER_PATH    /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/filters                                                                                                                                                                                                            
GIT_REVISION   11197                                                                                                                                                                                                                                                           
HOST           x86_64-pc-linux-gnu                                                                                                                                                                                                                                             
INCLUDE_PATH   /usr/include/ImageMagick-7                                                                                                                                                                                                                                      
LDFLAGS        -L/usr/lib64 -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,-z,lazy -fsanitize=address                                                                                                                                                                        
LIB_VERSION    0x703                                                                                                                                                                                                                                                           
LIB_VERSION_NUMBER 7,0,3,0                                                                                                                                                                                                                                                     
LIBRARY_PATH   /usr/lib64/ImageMagick-7.0.3                                                                                                                                                                                                                                    
LIBS            -llcms2  -lfreetype   -llqr-1 -lglib-2.0  -lfftw3   -lfontconfig -lfreetype      -llzma  -lbz2 -lz  -lltdl  -lm                                                                                                                                                
NAME           ImageMagick                                                                                                                                                                                                                                                     
PCFLAGS        -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=64                                                                                                                                                                                                        
PREFIX         /usr
QuantumDepth   64
RELEASE_DATE   2016-09-14
SHARE_PATH     /usr/share/ImageMagick-7
SHAREARCH_PATH /usr/lib64/ImageMagick-7.0.3/config-Q64HDRI
TARGET_CPU     x86_64
TARGET_OS      linux-gnu
TARGET_VENDOR  pc
VERSION        7.0.3
WEBSITE        http://www.imagemagick.org

Path: [built-in]

Name           Value
-------------------------------------------------------------------------------
FEATURES       
NAME           ImageMagick
QuantumDepth   64

@marcograss
Copy link

to confirm @asarubbo , I also hit this bug with ASAN on master

@asarubbo
Copy link
Author

Thanks. Do you have found it on your own or based on the flags I posted above?

@marcograss
Copy link

uhm wait, your test case doesn't crash my instance either.

I have a different test case for a bug in that area of code, so I assumed it was the same bug.

I will open another issue, if they are the same they can merge into this

@marcograss marcograss mentioned this issue Sep 30, 2016
Closed
@asarubbo
Copy link
Author

with a symbolized output the crash is the same

@marcograss
Copy link

ok perfect, I guess they can close that new issue

@attritionorg
Copy link

https://blogs.gentoo.org/ago/2016/10/07/imagemagick-heap-based-buffer-overflow-in-ispixelmonochrome-pixel-accessor-h/

Public post on this issue. Not sure it adds much.

@asarubbo
Copy link
Author

https://blogs.gentoo.org/ago/2016/10/07/imagemagick-heap-based-buffer-overflow-in-ispixelmonochrome-pixel-accessor-h/

Public post on this issue. Not sure it adds much.

It doesn't. Is just my way to track issues I found.

Anyway, this is still reproducible for me with the latest release (7.0.3-4)

 AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/./MagickCore/pixel-accessor.h:557:24 in IsPixelMonochrome

@asarubbo asarubbo mentioned this issue Oct 11, 2016
Closed
@mikayla-grace
Copy link

Unfortunately we cannot reproduce the problem. We're using afl-clang 3.8.0 and no exception is thrown.

@attritionorg
Copy link

FYI: Looks like a CVE was assigned to this (2016-8678), even though there are issues in reproducing and confirming.

@asarubbo
Copy link
Author

the issue was reproduced by @marcograss too.

@dlemstra
Copy link
Member

This is a Q64 issue and we do not support Q64.  We're waiting for 128bit processors to get Q64 to work.

@armorcodegithubpreprod armorcodegithubpreprod bot mentioned this issue Mar 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@marcograss @attritionorg @asarubbo @dlemstra @mikayla-grace