Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-based buffer overflow in IsPixelMonochrome (pixel-accessor.h) #272

Closed
asarubbo opened this issue Sep 14, 2016 · 15 comments

Comments

Projects
None yet
5 participants
@asarubbo
Copy link

commented Sep 14, 2016

A crafted image causes an heap overflow.
Reproduce with: identify $FILE
I'm attaching the testcase as a zip because of the github's limitation.
Tested on 7.0.3.0

==13198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000fbc0 at pc 0x7f7a28f71a91 bp 0x7fff6820aaa0 sp 0x7fff6820aa98                                                                                                                                      
READ of size 10 at 0x61400000fbc0 thread T0                                                                                                                                                                                                                                    
    #0 0x7f7a28f71a90 in IsPixelMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/./MagickCore/pixel-accessor.h:557:24                                                                                                                            
    #1 0x7f7a28f71a90 in IdentifyImageMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:758                                                                                                                                
    #2 0x7f7a28f71dc6 in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:819:7                                                                                                                                    
    #3 0x7f7a293216ce in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/identify.c:524:8                                                                                                                                         
    #4 0x7f7a28924f86 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:336:22                                                                                                                                 
    #5 0x7f7a289ba26a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14                                                                                                                                  
    #6 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10                                                                                                                                                    
    #7 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176                                                                                                                                                             
    #8 0x7f7a2785e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #9 0x419138 in _init (/usr/bin/magick+0x419138)                                                                                                                                                                                                                            

0x61400000fbc0 is located 0 bytes to the right of 384-byte region [0x61400000fa40,0x61400000fbc0)                                                                                                                                                                              
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4c1105 in __interceptor_posix_memalign /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124                                                                                                            
    #1 0x7f7a293cac65 in AcquireAlignedMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:258:7
    #2 0x7f7a28fb8e9d in AcquireCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:4634:33
    #3 0x7f7a28fb8e9d in SetPixelCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:4746
    #4 0x7f7a28fa9f9e in GetVirtualPixelsFromNexus /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache.c:2629:10
    #5 0x7f7a28fd2a5e in GetCacheViewVirtualPixels /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/cache-view.c:664:10
    #6 0x7f7a28f70e46 in IdentifyImageMonochrome /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:753:7
    #7 0x7f7a28f71dc6 in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/attribute.c:819:7
    #8 0x7f7a293216ce in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/identify.c:524:8
    #9 0x7f7a28924f86 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:336:22
    #10 0x7f7a289ba26a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #11 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #12 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #13 0x7f7a2785e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/./MagickCore/pixel-accessor.h:557:24 in IsPixelMonochrome
Shadow bytes around the buggy address:
  0x0c287fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9f40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9f70: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c287fff9f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13198==ABORTING

6.crashes.zip

@mikayla-grace

This comment has been minimized.

Copy link

commented Sep 14, 2016

Unfortunately we cannot reproduce this exception with ImageMagick 7.0.3-1. With ASAN enabled, we get:

-> identify 6.crashes
6.crashes TIFF 21x1 21x1+0+0 8-bit Grayscale Gray 319B 0.000u 0:00.000
identify: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/905.
identify: Unknown field with tag 3 (0x3) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/905.
identify: Unknown field with tag 512 (0x200) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/905.
identify: IO error during reading of "Software"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/905.
identify: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/905.
@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 15, 2016

Unfortunately we cannot reproduce this exception with ImageMagick 7.0.3-1.

Maybe a different build (compiler,options) is able to hit the crash.
If I can provide more just ask.

@mikayla-grace

This comment has been minimized.

Copy link

commented Sep 16, 2016

Post the output of identify -list configure.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 16, 2016

Path: /usr/lib64/ImageMagick-7.0.3//config-Q64HDRI/configure.xml                                                                                                                                                                                                               

Name           Value                                                                                                                                                                                                                                                           
-------------------------------------------------------------------------------                                                                                                                                                                                                
CC             afl-clang                                                                                                                                                                                                                                                       
CFLAGS         -I/usr/include/libxml2  -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16  -pthread -I/usr/include/librsvg-2.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16  -I/usr/include/libpng16   -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16  -pthread -I/usr/include/OpenEXR   -I/usr/include/lqr-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  -I/usr/include/openjpeg-2.1   -I/usr/include/graphviz  -I/usr/include/freetype2  -I/usr/include/freetype2  -pthread      -O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address -Wall -mcpu=no-automagic -fexceptions  -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=64                                                                                                                                                                                                                                               
CODER_PATH     /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders                                                                                                                                                                                                             
CONFIGURE      ./configure  '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/imagemagick-7.0.3.0' '--htmldir=/usr/share/doc/imagemagick-7.0.3.0/html' '--libdir=/usr/lib64' '--disable-static' '--enable-hdri' '--disable-opencl' '--with-threads' '--with-modules' '--with-quantum-depth=64' '--with-magick-plus-plus' '--without-perl' '--with-perl-options=INSTALLDIRS=vendor' '--with-gs-font-dir=/usr/share/fonts/urw-fonts' '--with-bzlib' '--without-x' '--with-zlib' '--without-autotrace' '--with-dps' '--with-djvu' '--with-dejavu-font-dir=/usr/share/fonts/dejavu' '--with-fftw' '--without-fpx' '--with-fontconfig' '--with-freetype' '--with-gslib' '--with-gvc' '--with-jbig' '--with-jpeg' '--with-openjp2' '--with-lcms' '--with-lqr' '--with-lzma' '--with-openexr' '--with-pango' '--with-png' '--with-rsvg' '--with-tiff' '--with-webp' '--with-windows-font-dir=/usr/share/fonts/corefonts' '--with-wmf' '--with-xml' '--disable-openmp' '--with-gcc-arch=no-automagic' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CC=afl-clang' 'CFLAGS=-O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,-z,lazy -fsanitize=address' 'CXX=afl-clang++' 'CXXFLAGS=-O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'                                                                                                                                                                                            
CONFIGURE_PATH /etc/ImageMagick-7/                                                                                                                                                                                                                                             
COPYRIGHT      Copyright (C) 1999-2016 ImageMagick Studio LLC                                                                                                                                                                                                                  
CPPFLAGS       -I/usr/include/ImageMagick-7                                                                                                                                                                                                                                    
CXX            afl-clang++                                                                                                                                                                                                                                                     
CXXFLAGS       -O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address                                                                                                                       
DEFS           -DHAVE_CONFIG_H                                                                                                                                                                                                                                                 
DELEGATES      bzlib djvu mpeg fftw fontconfig freetype gslib jbig jng jpeg lcms lqr lzma openexr openjp2 pango png ps rsvg tiff webp wmf xml zlib                                                                                                                             
DISTCHECK_CONFIG_FLAGS 'CC=afl-clang' 'CFLAGS=-O2 -mtune=generic -march=x86-64 -fno-stack-protector -g3 -ggdb3 -U_FORTIFY_SOURCE -fno-common -fno-omit-frame-pointer -fsanitize=address' 'CXX=afl-clang++' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,-z,lazy -fsanitize=address'  --disable-deprecated  --with-quantum-depth=64  --with-jemalloc=no  --with-umem=no  --with-autotrace=no  --with-dejavu-font-dir=/usr/share/fonts/dejavu  --with-fpx=no  --with-fontpath=  --with-gs-font-dir=/usr/share/fonts/urw-fonts  --with-windows-font-dir=/usr/share/fonts/corefonts  --with-perl=no                                                                                                                                                                                                                                 
DOCUMENTATION_PATH /usr/share/doc/ImageMagick-7                                                                                                                                                                                                                                
EXEC-PREFIX    /usr                                                                                                                                                                                                                                                            
EXECUTABLE_PATH /usr/bin                                                                                                                                                                                                                                                       
FEATURES       DPC HDRI Cipher Modules                                                                                                                                                                                                                                         
FILTER_PATH    /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/filters                                                                                                                                                                                                            
GIT_REVISION   11197                                                                                                                                                                                                                                                           
HOST           x86_64-pc-linux-gnu                                                                                                                                                                                                                                             
INCLUDE_PATH   /usr/include/ImageMagick-7                                                                                                                                                                                                                                      
LDFLAGS        -L/usr/lib64 -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,-z,lazy -fsanitize=address                                                                                                                                                                        
LIB_VERSION    0x703                                                                                                                                                                                                                                                           
LIB_VERSION_NUMBER 7,0,3,0                                                                                                                                                                                                                                                     
LIBRARY_PATH   /usr/lib64/ImageMagick-7.0.3                                                                                                                                                                                                                                    
LIBS            -llcms2  -lfreetype   -llqr-1 -lglib-2.0  -lfftw3   -lfontconfig -lfreetype      -llzma  -lbz2 -lz  -lltdl  -lm                                                                                                                                                
NAME           ImageMagick                                                                                                                                                                                                                                                     
PCFLAGS        -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=64                                                                                                                                                                                                        
PREFIX         /usr
QuantumDepth   64
RELEASE_DATE   2016-09-14
SHARE_PATH     /usr/share/ImageMagick-7
SHAREARCH_PATH /usr/lib64/ImageMagick-7.0.3/config-Q64HDRI
TARGET_CPU     x86_64
TARGET_OS      linux-gnu
TARGET_VENDOR  pc
VERSION        7.0.3
WEBSITE        http://www.imagemagick.org

Path: [built-in]

Name           Value
-------------------------------------------------------------------------------
FEATURES       
NAME           ImageMagick
QuantumDepth   64
@marcograss

This comment has been minimized.

Copy link

commented Sep 30, 2016

to confirm @asarubbo , I also hit this bug with ASAN on master

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 30, 2016

Thanks. Do you have found it on your own or based on the flags I posted above?

@marcograss

This comment has been minimized.

Copy link

commented Sep 30, 2016

uhm wait, your test case doesn't crash my instance either.

I have a different test case for a bug in that area of code, so I assumed it was the same bug.

I will open another issue, if they are the same they can merge into this

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 30, 2016

with a symbolized output the crash is the same

@marcograss

This comment has been minimized.

Copy link

commented Sep 30, 2016

ok perfect, I guess they can close that new issue

@attritionorg

This comment has been minimized.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Oct 11, 2016

https://blogs.gentoo.org/ago/2016/10/07/imagemagick-heap-based-buffer-overflow-in-ispixelmonochrome-pixel-accessor-h/

Public post on this issue. Not sure it adds much.

It doesn't. Is just my way to track issues I found.

Anyway, this is still reproducible for me with the latest release (7.0.3-4)

 AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/./MagickCore/pixel-accessor.h:557:24 in IsPixelMonochrome
@mikayla-grace

This comment has been minimized.

Copy link

commented Oct 16, 2016

Unfortunately we cannot reproduce the problem. We're using afl-clang 3.8.0 and no exception is thrown.

@attritionorg

This comment has been minimized.

Copy link

commented Oct 18, 2016

FYI: Looks like a CVE was assigned to this (2016-8678), even though there are issues in reproducing and confirming.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Oct 18, 2016

the issue was reproduced by @marcograss too.

@dlemstra

This comment has been minimized.

Copy link
Member

commented Nov 22, 2016

This is a Q64 issue and we do not support Q64.  We're waiting for 128bit processors to get Q64 to work.

@dlemstra dlemstra closed this Nov 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.