Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory corruption -Out of bound write #350

Closed
Miladbr opened this issue Jan 10, 2017 · 2 comments
Closed

memory corruption -Out of bound write #350

Miladbr opened this issue Jan 10, 2017 · 2 comments
Labels
bug

Comments

@Miladbr
Copy link

Miladbr commented Jan 10, 2017

Valgrind output:

$ valgrind /home/milad/ImageMagick/utilities/magick 5.psd /dev/null
==2056== Memcheck, a memory error detector
==2056== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2056== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2056== Command: /home/milad/ImageMagick/utilities/magick 5.psd /dev/null
==2056== 
magick: CompressionNotSupported '26368' @ warning/psd.c/ReadPSDChannel/1349.
magick: CompressionNotSupported '29952' @ warning/psd.c/ReadPSDChannel/1349.
==2056== Invalid write of size 1
==2056==    at 0x5CFA4A: PSDPackbitsEncodeImage (psd.c:2402)
==2056==    by 0x5CFA4A: WritePSDChannel (psd.c:2552)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056==  Address 0x5cfdbba is 0 bytes after a block of size 10 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x5CD4AA: AcquireCompactPixels (psd.c:2600)
==2056==    by 0x5CD4AA: WritePSDChannels (psd.c:2637)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056== 
==2056== Invalid write of size 1
==2056==    at 0x5CFA51: PSDPackbitsEncodeImage (psd.c:2403)
==2056==    by 0x5CFA51: WritePSDChannel (psd.c:2552)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056==  Address 0x5cfdbbb is 1 bytes after a block of size 10 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x5CD4AA: AcquireCompactPixels (psd.c:2600)
==2056==    by 0x5CD4AA: WritePSDChannels (psd.c:2637)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056== 
==2056== Invalid write of size 1
==2056==    at 0x5CFA82: PSDPackbitsEncodeImage (psd.c:2428)
==2056==    by 0x5CFA82: WritePSDChannel (psd.c:2552)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==    by 0x40410E: MagickMain (magick.c:149)
==2056==    by 0x40410E: main (magick.c:180)
==2056==  Address 0x5cfdccc is 20 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35030: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FB241: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1319)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==  Address 0x5cfdccc is 20 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35040: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FB241: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1319)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==  Address 0x5cfdcca is 18 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35030: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FD6CD: _IO_default_xsputn (genops.c:438)
==2056==    by 0x55FB2C6: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1352)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==  Address 0x5cfdccc is 20 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x4C35040: __GI_mempcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x55FD6CD: _IO_default_xsputn (genops.c:438)
==2056==    by 0x55FB2C6: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1352)
==2056==    by 0x55F07BA: fwrite (iofwrite.c:39)
==2056==    by 0x6591A5: WriteBlob (blob.c:4445)
==2056==    by 0x5CFB1B: WritePSDChannel (psd.c:2554)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==  Address 0x5cfdcca is 18 bytes after a block of size 8 alloc'd
==2056==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2056==    by 0x432945: AcquireMagickMemory (memory.c:460)
==2056==    by 0x432945: AcquireQuantumMemory (memory.c:533)
==2056==    by 0x7A6397: AcquireQuantumPixels (quantum.c:171)
==2056==    by 0x7A6397: SetQuantumDepth (quantum.c:693)
==2056==    by 0x7A5937: AcquireQuantumInfo (quantum.c:125)
==2056==    by 0x5CEBA4: WritePSDChannel (psd.c:2514)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056== 
==2056== Invalid read of size 1
==2056==    at 0x7A6A0C: DestroyQuantumPixels (quantum.c:267)
==2056==    by 0x7A6794: DestroyQuantumInfo (quantum.c:219)
==2056==    by 0x5CFC60: WritePSDChannel (psd.c:2586)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056==    by 0x5C9903: WritePSDImage (psd.c:3359)
==2056==    by 0x6A55CF: WriteImage (constitute.c:1101)
==2056==    by 0x6A643C: WriteImages (constitute.c:1320)
==2056==    by 0x9D9FA9: CLINoImageOperator (operation.c:4778)
==2056==    by 0x9DBE02: CLIOption (operation.c:5238)
==2056==    by 0x917836: ProcessCommandOptions (magick-cli.c:526)
==2056==    by 0x918452: MagickImageCommand (magick-cli.c:791)
==2056==    by 0x919255: MagickCommandGenesis (mogrify.c:183)
==2056==  Address 0xff82ff82ff86018d is not stack'd, malloc'd or (recently) free'd
==2056== 
==2056== 
==2056== Process terminating with default action of signal 6 (SIGABRT)
==2056==    at 0x55B7428: raise (raise.c:54)
==2056==    by 0x55B9029: abort (abort.c:89)
==2056==    by 0x43255F: MagickSignalHandler (magick.c:1314)
==2056==    by 0x537638F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==2056==    by 0x55B7427: raise (raise.c:54)
==2056==    by 0x55B9029: abort (abort.c:89)
==2056==    by 0x4325A5: MagickSignalHandler (magick.c:1330)
==2056==    by 0x537638F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==2056==    by 0x7A6A0B: DestroyQuantumPixels (quantum.c:267)
==2056==    by 0x7A6794: DestroyQuantumInfo (quantum.c:219)
==2056==    by 0x5CFC60: WritePSDChannel (psd.c:2586)
==2056==    by 0x5CDC05: WritePSDChannels (psd.c:2683)
==2056== 
==2056== HEAP SUMMARY:
==2056==     in use at exit: 821,915 bytes in 1,530 blocks
==2056==   total heap usage: 5,072 allocs, 3,542 frees, 1,733,410 bytes allocated
==2056== 
==2056== LEAK SUMMARY:
==2056==    definitely lost: 0 bytes in 0 blocks
==2056==    indirectly lost: 0 bytes in 0 blocks
==2056==      possibly lost: 0 bytes in 0 blocks
==2056==    still reachable: 821,915 bytes in 1,530 blocks
==2056==         suppressed: 0 bytes in 0 blocks
==2056== Rerun with --leak-check=full to see details of leaked memory
==2056== 
==2056== For counts of detected and suppressed errors, rerun with: -v
==2056== ERROR SUMMARY: 1603 errors from 8 contexts (suppressed: 0 from 0)
[1]    2056 abort      valgrind /home/milad/ImageMagick/utilities/magick 5.psd /dev/null

PoC:

https://github.com/Miladbr/public-poc/blob/master/imagemagick/5.psd
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jan 10, 2017
https://github.com/ImageMagick/ImageMagick/issues/350
d4ec73f
dlemstra pushed a commit that referenced this issue Jan 10, 2017
https://github.com/ImageMagick/ImageMagick/issues/350
37a1710
@carnil
Copy link

carnil commented Jan 27, 2017
edited

This is CVE-2017-5509

@dlemstra dlemstra added the bug label Jan 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carnil @Miladbr @dlemstra @mikayla-grace