New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
imagemagick identify&convert heap-buffer-overflow #538
Comments
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
Does it affect v6 ? |
|
Yes. |
|
Did you jhave a commit for v6 ? |
|
Ping ? |
|
Will want to be ping for correct fix (glenn one). Thank you nevertheless |
|
Final fix for IM7 is commit 6a4f9c1 |
|
And for v6 ? Does we need to apply previous commit ? |
|
I believe v6 was not vulnerable to this particular problem. It was fixed in V6 around version 6.9.5-3. |
|
glenn instead of if (change_clipping && ((p-chunk) < (ssize_t) (length-16))) v6 has if (change_clipping && ((p-chunk) < (ssize_t) (length-17))) is it normal ? |
|
It should be 16. |
|
I fixed the 17 -> 16 thing. It wasn't a security problem but could have caused certain FRAM chunks to be rejected incorrectly. See commit 1fdc09d |
|
@glennrp: could you help identify the commit in v6, around 6.9.5-3 which fixes this issue? |
|
@glennrp: thank you! |
ImageMagick-7.0.6-0
build instructions:
when identify or convert MNG file, imagemagick will cause a heap buffer overflow
The vulnerability is caused when identify MNG image, which happens in function mng_get_long (coders/png.c:1636) which is called by line 5741 at coders/png.c.
Here is the critical code of mng_get_long and its call code:
It is caused by heap buffer overflow, which is caused by a read operation without overflow check.
The p buffer is pointer to chunk, its buffer data and length are read from input file,
When setting proper length and repeat value, it is possible to disclosing some critical data, such as heap chunk data and even other applications’ private data.
Testcase: https://github.com/zyy89/pocs/blob/master/imagemagick-heap-buffer-overflow-1
The text was updated successfully, but these errors were encountered: