New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free in magick at dcm.c RelinquishDCMMemory #4446
Comments
|
Thanks for reporting this. This will be resolved in the next release of ImageMagick. |
|
how can i compile this in ASAN mode ? |
You can use the "-fsanitize=address" option to enable it |
|
CVE Assigned: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ImageMagick version
7.1.0-14
Operating system
Linux
Operating system, version and so on
OS: Ubuntu 18.04.6 LTS Version: ImageMagick 7.1.0-14 Q16-HDRI x86_64 2021-10-28 https://imagemagick.org Copyright: (C) 1999-2021 ImageMagick Studio Delegates (built-in): fontconfig freetype jng jpeg lzma pangocairo png x xml zlib Compiler: gcc (4.2)
Description
Hello,
We are currently working on fuzz testing feature, and we found a heap-use-after-free on magick.
Steps to Reproduce
build it
./configure --disable-shared && make && make installrun it
./magick convert -adjoin -alpha copy -antialias -append -auto-gamma -auto-level -auto-orient poc /dev/nulloutput
free(): double free detected in tcache 2
When I compile in ASAN mode
./magick convert -adjoin -alpha copy -antialias -append -auto-gamma -auto-level -auto-orient poc /dev/null=================================================================
==11927==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000580 at pc 0x000000f0f98c bp 0x7ffe3d8a7fd0 sp 0x7ffe3d8a7fc8
READ of size 8 at 0x60f000000580 thread T0
#0 0xf0f98b in RelinquishDCMMemory /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3039:20
#1 0xf08eb8 in ReadDCMImage /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:4002:11
#2 0x65b638 in ReadImage /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:563:15
#3 0x6602d3 in ReadImages /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:955:9
#4 0x15bd745 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:611:18
#5 0x177d150 in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#6 0x5f9924 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#7 0x5f9924 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#8 0x7f35dfd66bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x549e99 in _start (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x549e99)
0x60f000000580 is located 144 bytes inside of 168-byte region [0x60f0000004f0,0x60f000000598)
freed by thread T0 here:
#0 0x5c4af2 in free (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x5c4af2)
#1 0xf0f82c in RelinquishMagickMemory /root/fuzz/target/imagemagick/ImageMagick/MagickCore/memory.c:1167:3
#2 0xf0f82c in RelinquishDCMMemory /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3043:35
#3 0xf08e0b in ReadDCMImage /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3999:9
#4 0x65b638 in ReadImage /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:563:15
#5 0x6602d3 in ReadImages /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:955:9
#6 0x15bd745 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:611:18
#7 0x177d150 in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#8 0x5f9924 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#9 0x5f9924 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#10 0x7f35dfd66bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x5c4d5d in malloc (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x5c4d5d)
#1 0xefb803 in AcquireMagickMemory /root/fuzz/target/imagemagick/ImageMagick/MagickCore/memory.c:558:10
#2 0xefb803 in ReadDCMImage /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3142:33
#3 0x65b638 in ReadImage /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:563:15
#4 0x6602d3 in ReadImages /root/fuzz/target/imagemagick/ImageMagick/MagickCore/constitute.c:955:9
#5 0x15bd745 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:611:18
#6 0x177d150 in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#7 0x5f9924 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#8 0x5f9924 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#9 0x7f35dfd66bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free /root/fuzz/target/imagemagick/ImageMagick/coders/dcm.c:3039:20 in RelinquishDCMMemory
Shadow bytes around the buggy address:
0x0c1e7fff8060: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1e7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff8090: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
0x0c1e7fff80a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e7fff80b0:[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11927==ABORTING
Images
poc.zip
The text was updated successfully, but these errors were encountered: