Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory corruption via a PSB file #348

Closed
Miladbr opened this issue Jan 7, 2017 · 2 comments
Closed

Memory corruption via a PSB file #348

Miladbr opened this issue Jan 7, 2017 · 2 comments
Labels
bug

Comments

@Miladbr
Copy link

Miladbr commented Jan 7, 2017 

$ /home/milad/ImageMagick/utilities/magick 18.psb /dev/null         
[1]    13850 segmentation fault (core dumped)  /home/milad/ImageMagick/utilities/magick  /dev/null

Valgrind output:

$ valgrind /home/milad/ImageMagick/utilities/magick 18.psb /dev/null
==13731== Memcheck, a memory error detector
==13731== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13731== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==13731== Command: /home/milad/ImageMagick/utilities/magick 18.psb /dev/null
==13731== 
==13731== Invalid write of size 1
==13731==    at 0xCD97C0: PopQuantumPixel (quantum-export.c:196)
==13731==    by 0xCD97C0: ExportRedQuantum (quantum-export.c:3069)
==13731==    by 0xCD97C0: ExportQuantumPixels (quantum-export.c:4045)
==13731==    by 0x81F40D: WritePSDChannel (psd.c:2545)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e4f is 0 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid read of size 1
==13731==    at 0xCD9660: PopQuantumPixel (quantum-export.c:198)
==13731==    by 0xCD9660: ExportRedQuantum (quantum-export.c:3069)
==13731==    by 0xCD9660: ExportQuantumPixels (quantum-export.c:4045)
==13731==    by 0x81F40D: WritePSDChannel (psd.c:2545)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e4f is 0 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid write of size 8
==13731==    at 0x81FFE2: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e48 is 504 bytes inside a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid read of size 16
==13731==    at 0x81FFF1: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e50 is 1 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid write of size 8
==13731==    at 0x81FFF8: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e50 is 1 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid read of size 16
==13731==    at 0x81FF59: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e60 is 17 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid write of size 8
==13731==    at 0x81FF5F: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e60 is 17 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 

valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 576, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==13731==    at 0x38083F48: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x38084064: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x380841F1: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x38091A9C: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x3807D673: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x3807BF03: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x380800DA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x3807B49A: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x80459A1A5: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 13731)
==13731==    at 0x81FF6D: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)

Thread 2: status = VgTs_Yielding (lwpid 13732)
==13731==    at 0x4E4BCE9: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
==13731==    by 0x4E49449: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
==13731==    by 0x55826B9: start_thread (pthread_create.c:333)
==13731==    by 0x589E82C: clone (clone.S:109)

PoC: https://github.com/Miladbr/public-poc/blob/master/imagemagick/18.psb
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jan 8, 2017
https://github.com/ImageMagick/ImageMagick/issues/348
91cc3f3
dlemstra pushed a commit that referenced this issue Jan 8, 2017
https://github.com/ImageMagick/ImageMagick/issues/348
e87af64
@carnil
Copy link

carnil commented Jan 27, 2017
edited

This is CVE-2017-5510

@dlemstra dlemstra added the bug label Jan 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carnil @Miladbr @dlemstra @mikayla-grace