Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory corruption via a PSB file #348

Closed
Miladbr opened this issue Jan 7, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@Miladbr
Copy link

commented Jan 7, 2017

$ /home/milad/ImageMagick/utilities/magick 18.psb /dev/null         
[1]    13850 segmentation fault (core dumped)  /home/milad/ImageMagick/utilities/magick  /dev/null

Valgrind output:

$ valgrind /home/milad/ImageMagick/utilities/magick 18.psb /dev/null
==13731== Memcheck, a memory error detector
==13731== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13731== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==13731== Command: /home/milad/ImageMagick/utilities/magick 18.psb /dev/null
==13731== 
==13731== Invalid write of size 1
==13731==    at 0xCD97C0: PopQuantumPixel (quantum-export.c:196)
==13731==    by 0xCD97C0: ExportRedQuantum (quantum-export.c:3069)
==13731==    by 0xCD97C0: ExportQuantumPixels (quantum-export.c:4045)
==13731==    by 0x81F40D: WritePSDChannel (psd.c:2545)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e4f is 0 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid read of size 1
==13731==    at 0xCD9660: PopQuantumPixel (quantum-export.c:198)
==13731==    by 0xCD9660: ExportRedQuantum (quantum-export.c:3069)
==13731==    by 0xCD9660: ExportQuantumPixels (quantum-export.c:4045)
==13731==    by 0x81F40D: WritePSDChannel (psd.c:2545)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e4f is 0 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid write of size 8
==13731==    at 0x81FFE2: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e48 is 504 bytes inside a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid read of size 16
==13731==    at 0x81FFF1: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e50 is 1 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid write of size 8
==13731==    at 0x81FFF8: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e50 is 1 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid read of size 16
==13731==    at 0x81FF59: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e60 is 17 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 
==13731== Invalid write of size 8
==13731==    at 0x81FF5F: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)
==13731==  Address 0x6b77e60 is 17 bytes after a block of size 511 alloc'd
==13731==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13731==    by 0xC94D0C: AcquireQuantumPixels (quantum.c:175)
==13731==    by 0xC94D0C: SetQuantumDepth (quantum.c:693)
==13731==    by 0xC9571A: AcquireQuantumInfo (quantum.c:125)
==13731==    by 0x81F2E0: WritePSDChannel (psd.c:2514)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731== 

valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 576, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==13731==    at 0x38083F48: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x38084064: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x380841F1: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x38091A9C: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x3807D673: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x3807BF03: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x380800DA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x3807B49A: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13731==    by 0x80459A1A5: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 13731)
==13731==    at 0x81FF6D: WritePSDChannel (psd.c:2549)
==13731==    by 0x82E6B8: WritePSDChannels (psd.c:2683)
==13731==    by 0x82E6B8: WritePSDImage (psd.c:3359)
==13731==    by 0xA148B7: WriteImage (constitute.c:1101)
==13731==    by 0xA16605: WriteImages (constitute.c:1320)
==13731==    by 0x11043F3: CLINoImageOperator (operation.c:4778)
==13731==    by 0x1107338: CLIOption (operation.c:5238)
==13731==    by 0xF86894: ProcessCommandOptions (magick-cli.c:526)
==13731==    by 0xF87FC2: MagickImageCommand (magick-cli.c:791)
==13731==    by 0xF90DE9: MagickCommandGenesis (mogrify.c:183)
==13731==    by 0x419D10: MagickMain (magick.c:149)
==13731==    by 0x57B882F: (below main) (libc-start.c:291)

Thread 2: status = VgTs_Yielding (lwpid 13732)
==13731==    at 0x4E4BCE9: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
==13731==    by 0x4E49449: ??? (in /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0)
==13731==    by 0x55826B9: start_thread (pthread_create.c:333)
==13731==    by 0x589E82C: clone (clone.S:109)

PoC: https://github.com/Miladbr/public-poc/blob/master/imagemagick/18.psb

@mikayla-grace

This comment has been minimized.

Copy link

commented Jan 8, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jan 8, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jan 8, 2017

Cristy
@carnil

This comment has been minimized.

Copy link

commented Jan 27, 2017

This is CVE-2017-5510

@dlemstra dlemstra added the bug label Jan 27, 2017

@dlemstra dlemstra closed this Jan 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.