Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory corruption -Out of bound write #350

Closed
Miladbr opened this issue Jan 10, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@Miladbr
Copy link

commented Jan 10, 2017

Valgrind output:

$ valgrind /home/milad/ImageMagick/utilities/magick 5.psd /dev/null
==2056== Memcheck, a memory error detector
==2056== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2056== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2056== Command: /home/milad/ImageMagick/utilities/magick 5.psd /dev/null
==2056== 
magick: CompressionNotSupported '26368' @ warning/psd.c/ReadPSDChannel/1349.
magick: CompressionNotSupported '29952' @ warning/psd.c/ReadPSDChannel/1349.
==2056== Invalid write of size 1
==2056==    at 0x5CFA4A: PSDPackbitsEncodeImage (psd.c:2402)
==2056==    by 0x5CFA4A: WritePSDChannel (psd.c:2552)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056==  Address 0x5cfdbba is 0 bytes after a block of size 10 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x5CD4AA: AcquireCompactPixels (psd.c:2600)
==2056==    by 0x5CD4AA: WritePSDChannels (psd.c:2637)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056== 
==2056== Invalid write of size 1
==2056==    at 0x5CFA51: PSDPackbitsEncodeImage (psd.c:2403)
==2056==    by 0x5CFA51: WritePSDChannel (psd.c:2552)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056==  Address 0x5cfdbbb is 1 bytes after a block of size 10 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x5CD4AA: AcquireCompactPixels (psd.c:2600)
==2056==    by 0x5CD4AA: WritePSDChannels (psd.c:2637)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056== 
==2056== Invalid write of size 1
==2056==    at 0x5CFA82: PSDPackbitsEncodeImage (psd.c:2428)
==2056==    by 0x5CFA82: WritePSDChannel (psd.c:2552)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056==  Address 0x5cfdccc is 20 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35030: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FB241: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1319)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==  Address 0x5cfdccc is 20 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35040: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FB241: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1319)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==  Address 0x5cfdcca is 18 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35030: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FD6CD: _IO_default_xsputn (genops.c:438)
==2056==    by 0x55FB2C6: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1352)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==  Address 0x5cfdccc is 20 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35040: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FD6CD: _IO_default_xsputn (genops.c:438)
==2056==    by 0x55FB2C6: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1352)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==  Address 0x5cfdcca is 18 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x7A6A0C: DestroyQuantumPixels (quantum.c:267)
==2056==    by 0x7A6794: DestroyQuantumInfo (quantum.c:219)
==2056==    by 0x5CFC60: WritePSDChannel (psd.c:2586)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==  Address 0xff82ff82ff86018d is not stack'd, malloc'd or (recently) free'd
==2056== 
==2056== 
==2056== Process terminating with default action of signal 6 (SIGABRT)
==2056==    at 0x55B7428: raise (raise.c:54)
==2056==    by 0x55B9029: abort (abort.c:89)
==2056==    by 0x43255F: MagickSignalHandler (magick.c:1314)
==2056==    by 0x537638F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==2056==    by 0x55B7427: raise (raise.c:54)
==2056==    by 0x55B9029: abort (abort.c:89)
==2056==    by 0x4325A5: MagickSignalHandler (magick.c:1330)
==2056==    by 0x537638F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==2056==    by 0x7A6A0B: DestroyQuantumPixels (quantum.c:267)
==2056==    by 0x7A6794: DestroyQuantumInfo (quantum.c:219)
==2056==    by 0x5CFC60: WritePSDChannel (psd.c:2586)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056== 
==2056== HEAP SUMMARY:
==2056==     in use at exit: 821,915 bytes in 1,530 blocks
==2056==   total heap usage: 5,072 allocs, 3,542 frees, 1,733,410 bytes allocated
==2056== 
==2056== LEAK SUMMARY:
==2056==    definitely lost: 0 bytes in 0 blocks
==2056==    indirectly lost: 0 bytes in 0 blocks
==2056==      possibly lost: 0 bytes in 0 blocks
==2056==    still reachable: 821,915 bytes in 1,530 blocks
==2056==         suppressed: 0 bytes in 0 blocks
==2056== Rerun with --leak-check=full to see details of leaked memory
==2056== 
==2056== For counts of detected and suppressed errors, rerun with: -v
==2056== ERROR SUMMARY: 1603 errors from 8 contexts (suppressed: 0 from 0)
[1]    2056 abort      valgrind /home/milad/ImageMagick/utilities/magick 5.psd /dev/null

PoC:

https://github.com/Miladbr/public-poc/blob/master/imagemagick/5.psd
@mikayla-grace

This comment has been minimized.

Copy link

commented Jan 10, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jan 10, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jan 10, 2017

Cristy
@carnil

This comment has been minimized.

Copy link

commented Jan 27, 2017

This is CVE-2017-5509

@dlemstra dlemstra added the bug label Jan 28, 2017

@dlemstra dlemstra closed this Jan 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.