-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in magick at quantum-private.h PushShortPixel #4974
Comments
urban-warrior
pushed a commit
to ImageMagick/ImageMagick6
that referenced
this issue
Mar 23, 2022
urban-warrior
pushed a commit
that referenced
this issue
Mar 23, 2022
Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/download/beta/ by sometime tomorrow. |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Apr 20, 2022
## [7.1.0-29](ImageMagick/ImageMagick@7.1.0-28...7.1.0-29) - 2022-03-27 ### Merged - Remove unused EXPLICIT_TEMPLATE_INSTANTIATION [`#4982`](ImageMagick/ImageMagick#4982) - Fixes #4985: 4e+26 is outside the range of representable values of type 'unsigned long' at coders/pcl.c:299 [`#4986`](ImageMagick/ImageMagick#4986) ### Fixed - Fixes #4985: 4e+26 is outside the range of representable values of type 'unsigned long' at coders/pcl.c:299 (#4986) [`#4985`](ImageMagick/ImageMagick#4985) ### Commits - ImageMagick/ImageMagick#4936 [`83b114f`](ImageMagick/ImageMagick@83b114f) - latest changelog [`d1d344b`](ImageMagick/ImageMagick@d1d344b) - ... [`280e7e6`](ImageMagick/ImageMagick@280e7e6) - enforce one `id` per MIFF image [`966a769`](ImageMagick/ImageMagick@966a769) - ImageMagick/ImageMagick#4987 [`25309b9`](ImageMagick/ImageMagick@25309b9) - over allocate quantum pixel buffer [`219d19f`](ImageMagick/ImageMagick@219d19f) - ImageMagick/ImageMagick#4972 [`ffc2aaa`](ImageMagick/ImageMagick@ffc2aaa) - ImageMagick/ImageMagick#4936 [`000557d`](ImageMagick/ImageMagick@000557d) - set quantum extent [`c909df1`](ImageMagick/ImageMagick@c909df1) - revert [`96162eb`](ImageMagick/ImageMagick@96162eb) - revert [`cb65691`](ImageMagick/ImageMagick@cb65691) - revert [`ab39cc4`](ImageMagick/ImageMagick@ab39cc4) - cosmetic [`2c35b9a`](ImageMagick/ImageMagick@2c35b9a) - cosmetic [`e36bd84`](ImageMagick/ImageMagick@e36bd84) - no suitable delegate utility for CGM or FIG formats [`004fc5d`](ImageMagick/ImageMagick@004fc5d) - speculative allocation since we don't yet know the quantum type [`bd77531`](ImageMagick/ImageMagick@bd77531) - latest changes [`2bfd2be`](ImageMagick/ImageMagick@2bfd2be) - account for case where gray image is imported as RGBA [`22cfaf3`](ImageMagick/ImageMagick@22cfaf3) - reset id [`a4736b4`](ImageMagick/ImageMagick@a4736b4) - pending release [`a6551b2`](ImageMagick/ImageMagick@a6551b2) - pending release [`8be1086`](ImageMagick/ImageMagick@8be1086) - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45887 [`96ae906`](ImageMagick/ImageMagick@96ae906) - ImageMagick/ImageMagick#4975 [`44cb819`](ImageMagick/ImageMagick@44cb819) - ImageMagick/ImageMagick#4974 [`c871830`](ImageMagick/ImageMagick@c871830) - ImageMagick/ImageMagick#4988 [`ca3654e`](ImageMagick/ImageMagick@ca3654e) - release [`4c0b7d2`](ImageMagick/ImageMagick@4c0b7d2) - reset id [`83de35d`](ImageMagick/ImageMagick@83de35d)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ImageMagick version
7.1.0-28
Operating system
Linux
Operating system, version and so on
OS: Ubuntu 20.04.3 LTS
Version: ImageMagick 7.1.0-28 Q16-HDRI x86_64 2022-03-04 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lzma pangocairo png tiff x xml zlib
Compiler: gcc (4.2)
Description
Hello,
We found a heap overflow vulnerability in magick
Steps to Reproduce
build it
CC=afl-clang-lto CXX=afl-clang-lto++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared --prefix="/root/fuzz/target/imagemagick/ImageMagick/install"
AFL_USE_ASAN=1 make -j24 && make install -j24
run it
./magick convert poc /dev/null
output
=================================================================
==1195823==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000181c at pc 0x000000cd5328 bp 0x7ffdacd61fa0 sp 0x7ffdacd61f98
READ of size 1 at 0x61900000181c thread T0
#0 0xcd5327 in PushShortPixel /root/fuzz/target/image_magick/ImageMagick/./MagickCore/quantum-private.h
#1 0xcd5327 in ImportRGBAQuantum /root/fuzz/target/image_magick/ImageMagick/MagickCore/quantum-import.c:4232:15
#2 0xcd5327 in ImportQuantumPixels /root/fuzz/target/image_magick/ImageMagick/MagickCore/quantum-import.c:4780:7
#3 0x13e73f2 in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:2052:24
#4 0x6f9981 in ReadImage /root/fuzz/target/image_magick/ImageMagick/MagickCore/constitute.c:728:15
#5 0x6fe991 in ReadImages /root/fuzz/target/image_magick/ImageMagick/MagickCore/constitute.c:1075:9
#6 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18
#7 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#8 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#9 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#10 0x7f499b68b0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x4ce36d in _start (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x4ce36d)
0x61900000181c is located 10 bytes to the right of 914-byte region [0x619000001480,0x619000001812)
allocated by thread T0 here:
#0 0x54ab1d in malloc (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x54ab1d)
#1 0x13e6faf in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:1996:39
#2 0x6f9981 in ReadImage /root/fuzz/target/image_magick/ImageMagick/MagickCore/constitute.c:728:15
#3 0x6fe991 in ReadImages /root/fuzz/target/image_magick/ImageMagick/MagickCore/constitute.c:1075:9
#4 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18
#5 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14
#6 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10
#7 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10
#8 0x7f499b68b0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/target/image_magick/ImageMagick/./MagickCore/quantum-private.h in PushShortPixel
Shadow bytes around the buggy address:
0x0c327fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8300: 00 00 02[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1195823==ABORTING
Images
poc.zip
The text was updated successfully, but these errors were encountered: