New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap Buffer Overflow #4729
Comments
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/download/beta/ by sometime tomorrow. |
|
Do you guys have any trouble reproducing the vulnerability? |
|
Why do you ask? In our reply we say "We can reproduce it and will have a patch..." |
|
Emmm… Sorry,I misunderstood your reply as "I will reproduce it and patch…”. So embarrassing |
ImageMagick version
7.1.0-20
Operating system
Linux
Operating system, version and so on
Linux ubuntu 5.4.0-73-generic #82~18.04.1-Ubuntu SMP Fri Apr 16 15:10:02 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Description
Hi, ImageMagick security team
This is ZhangJiaxing (@R0fM1a) from Codesafe Team of Legendsec at Qi'anxin Group.
I've found a Heap Buffer Overflow vulnerability in ImageMagick 7.1.0-20.(github commit ID f54aa4e in Tue Jan 18 20:00:38 2022 -0500).When someone uses magick to convert a tiff-format image into a picon-format file, the bug will be traggered on.
Please feel free to contact me.
Regards,
ZhangJiaxing
Steps to Reproduce
==46632==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b540 at pc 0x7f7e88ca3257 bp 0x7fffdb9f7370 sp 0x7fffdb9f7360
READ of size 4 at 0x62a00000b540 thread T0
#0 0x7f7e88ca3256 in GetPixelAlpha MagickCore/pixel-accessor.h:59
Added Travis file to allow CI building on Github. #1 0x7f7e88ca763e in WritePICONImage coders/xpm.c:807
Remove files built by build process. #2 0x7f7e885f73ef in WriteImage MagickCore/constitute.c:1221
convert foo.odt foo.pdf fails (delegates do not support shell commands) #3 0x7f7e885f84a0 in WriteImages MagickCore/constitute.c:1442
IM 7 Channel Maps/Masks #4 0x7f7e87e5239f in ConvertImageCommand MagickWand/convert.c:3332
IM7 upgrade notes for changed functions #5 0x7f7e87f604cf in MagickCommandGenesis MagickWand/mogrify.c:188
ImageMagick generates improper output images #6 0x55a7a3ebefcf in MagickMain utilities/magick.c:150
ImageMagick generates improper output images #7 0x55a7a3ebf25a in main utilities/magick.c:182
Remove generated files from IM7 #8 0x7f7e876c2bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
Add function getHdriEnabled #9 0x55a7a3ebe9e9 in _start (/home/r0fm1a/ImageMagick/utilities/.libs/magick+0x19e9)
0x62a00000b540 is located 0 bytes to the right of 21312-byte region [0x62a000006200,0x62a00000b540)
allocated by thread T0 here:
#0 0x7f7e893e3790 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf790)
#1 0x7f7e887d1c99 in AcquireAlignedMemory_POSIX MagickCore/memory.c:299
#2 0x7f7e887d1ea8 in AcquireAlignedMemory MagickCore/memory.c:377
#3 0x7f7e88582e0e in OpenPixelCache MagickCore/cache.c:3746
#4 0x7f7e8857b296 in GetImagePixelCache MagickCore/cache.c:1776
#5 0x7f7e8858b2de in SyncImagePixelCache MagickCore/cache.c:5516
#6 0x7f7e88798568 in SetImageStorageClass MagickCore/image.c:2626
#7 0x7f7e885ab718 in AcquireImageColormap MagickCore/colormap.c:152
#8 0x7f7e888731cd in SetGrayscaleImage MagickCore/quantize.c:3772
#9 0x7f7e888714e7 in QuantizeImage MagickCore/quantize.c:3118
#10 0x7f7e88866f5d in CompressImageColormap MagickCore/quantize.c:1204
#11 0x7f7e88ca6f6a in WritePICONImage coders/xpm.c:755
#12 0x7f7e885f73ef in WriteImage MagickCore/constitute.c:1221
#13 0x7f7e885f84a0 in WriteImages MagickCore/constitute.c:1442
#14 0x7f7e87e5239f in ConvertImageCommand MagickWand/convert.c:3332
#15 0x7f7e87f604cf in MagickCommandGenesis MagickWand/mogrify.c:188
#16 0x55a7a3ebefcf in MagickMain utilities/magick.c:150
#17 0x55a7a3ebf25a in main utilities/magick.c:182
#18 0x7f7e876c2bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:59 in GetPixelAlpha
Shadow bytes around the buggy address:
0x0c547fff9650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fff9690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff96a0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c547fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff96e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fff96f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==46632==ABORTING
Images
magick_heap_bof.zip
The text was updated successfully, but these errors were encountered: