Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out-of-bounds read in coders/sun.c:582:57 #375

Closed
moshekaplan opened this issue Feb 8, 2017 · 1 comment
Closed

out-of-bounds read in coders/sun.c:582:57 #375

moshekaplan opened this issue Feb 8, 2017 · 1 comment

Comments

@moshekaplan
Copy link

moshekaplan commented Feb 8, 2017

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit 5f8642c

Command: magick bug1 /dev/null

bug1.zip

==7610==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3803bfe at pc 0x084d6361 bp 0xbfe62888 sp 0xbfe6287c
READ of size 1 at 0xb3803bfe thread T0
    #0 0x84d6360 in ReadSUNImage /home/user/Desktop/ImageMagick/coders/sun.c:582:57
    #1 0x8610dc8 in ReadImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:497:13
    #2 0x861487e in ReadImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:857:9
    #3 0x8c5b7ae in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4743:22
    #4 0x8c5f20f in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5238:7
    #5 0x8b18295 in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:421:13
    #6 0x8b19c9e in MagickImageCommand /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:791:5
    #7 0x8b1b7b4 in MagickCommandGenesis /home/user/Desktop/ImageMagick/MagickWand/mogrify.c:183:14
    #8 0x815dfda in MagickMain /home/user/Desktop/ImageMagick/utilities/magick.c:149:10
    #9 0x815dfda in main /home/user/Desktop/ImageMagick/utilities/magick.c:180
    #10 0xb7538275 in __libc_start_main /build/glibc-7cnzrD/glibc-2.24/csu/../csu/libc-start.c:291
    #11 0x8076db7 in _start (/home/user/Desktop/ImageMagick/utilities/magick+0x8076db7)

0xb3803bfe is located 0 bytes to the right of 174-byte region [0xb3803b50,0xb3803bfe)
allocated by thread T0 here:
    #0 0x81286e4 in malloc (/home/user/Desktop/ImageMagick/utilities/magick+0x81286e4)
    #1 0x81aac6e in AcquireMagickMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:460:10
    #2 0x81aac6e in AcquireQuantumMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:533
    #3 0x8610dc8 in ReadImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:497:13
    #4 0x861487e in ReadImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:857:9
    #5 0x8c5b7ae in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4743:22
    #6 0x8c5f20f in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5238:7
    #7 0x8b18295 in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:421:13

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/ImageMagick/coders/sun.c:582:57 in ReadSUNImage
Shadow bytes around the buggy address:
  0x36700720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36700730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36700740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36700750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36700760: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x36700770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]
  0x36700780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36700790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367007a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367007b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367007c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7610==ABORTING
Aborted
@moshekaplan moshekaplan changed the title out-of-bounds read in coders/sun.c:536:64 out-of-bounds read in coders/sun.c:582:57 Feb 8, 2017
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants