New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use of uninitialized data in ImageMagick/coders/mat.c:407 #362
Comments
Complete valgrind output:
|
Thanks for alerting us to uninitialized data. In some cases, in the interest of performance, we accept that some data may be uninitialized without any ill effects or security issues. However, in this case performance is not an issue so we initialized the buffer and valgrind no longer complains. |
Yes this fixes the symptom, thank you. I don't understand the MAT image format much, but I'm still wondering why the code is trying to calculate min/max values for undefined (or now after your fix: zero) data in the first place. That's why I was thinking there's some more serious bug behind this. |
Fixes an use of uninitialized data issue in MAT image format that may have security impact: ImageMagick/ImageMagick#362 [Peter: extend commit message, mention (potential) security impact] Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes an use of uninitialized data issue in MAT image format that may have security impact: ImageMagick/ImageMagick#362 [Peter: extend commit message, mention (potential) security impact] Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e5f505e)
2017-02-04 7.0.4-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.4-7, GIT revision 19513:5783e57:20170204. 2017-01-28 7.0.4-7 Cristy <quetzlzacatenango@image...> * Sanitize comments that include braces for the MIFF image format (reference ImageMagick/ImageMagick#368). 2017-01-27 7.0.4-7 Glenn Randers-Pehrson <glennrp@image...> * coders/png.c: Added support for a proposed new PNG chunk (zxIf, read-only) that is currently being discussed on the png-mng-misc at lists.sourceforge.net mailing list. Enable exIf and zxIf with CPPFLAGS="-DexIf_SUPPORTED -DxzIf_SUPPORTED". If exIf is enabled, only the uncompressed exIF chunk will be written and the hex-encoded zTXt chunk containing the raw Exif profile won't be written. 2017-01-27 7.0.4-6 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.4-6, GIT revision 19442:4747de9:20170127. 2017-01-27 7.0.4-6 Cristy <quetzlzacatenango@image...> * Uninitialized data in MAT image format (reference ImageMagick/ImageMagick#362). * Properly auto-fit caption (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30887). * Correction to composite Over operator (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31282). * Respect gravity option (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31284). 2017-01-22 7.0.4-6 Glenn Randers-Pehrson <glennrp@image...> * Renamed read_vpag_chunk_callback() function to png_user_chunk_callback() in coders/png.c * Implemented a private PNG caNv (canvas) chunk for remembering the original dimensions and offsets when an image is cropped. Previously we used the oFFs and vpAg chunks for this purpose, but this had potential conflicts with other applications that also use the oFFs chunk. * coders/png.c: Added support for a proposed new PNG chunk (exIf read-write, eXIf read-only) that is currently being discussed on the png-mng-misc at lists.sourceforge.net mailing list. 2017-01-22 7.0.4-6 Dirk Lemstra <dirk@lem.....org> * Replaced CoderSeekableStreamFlag with CoderDecoderSeekableStreamFlag and CoderEncoderSeekableStreamFlag.
…on 6.9.7 2017-02-04 6.9.7-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.7-7, GIT revision 11338:cc980d1:20170204. 2017-01-28 6.9.7-7 Cristy <quetzlzacatenango@image...> * Sanitize comments that include braces for the MIFF image format (reference ImageMagick/ImageMagick#368). 2017-01-27 6.9.7-6 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.7-6, GIT revision 11327:6b2f052:20170127. 2017-01-27 6.9.7-6 Cristy <quetzlzacatenango@image...> * Uninitialized data in MAT image format (reference ImageMagick/ImageMagick#362). 2017-01-22 6.9.7-6 Glenn Randers-Pehrson <glennrp@image...>
Please use CVE-2017-13143 for this issue. |
In issue #131 an out of bounds read involving the mat image format has been fixed.
After the fixing commits the buffer
bImgBuff
is large enough to deal with the PoC file that lead to issue #131.However, after the fix the coder still accesses uninitialized data which might pose a security issue or at least a bug. The first undefined access happens within coders/mat.c:1196 in a call to
calcMinMax()
. The back part of the bufferbImgBuff
is now large enough but does seemingly not contain any sensible data.I've tested this using the current ImageMagick master branch git revision 4a44cbd.
Undefined access is detected by valgrind using this command line:
libtool --mode=execute valgrind ./utilities/magick $POC_FILE /dev/null
The text was updated successfully, but these errors were encountered: