Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow of identify&convert #539

Closed
zyy89 opened this issue Jul 4, 2017 · 2 comments
Closed

Heap-buffer-overflow of identify&convert #539

zyy89 opened this issue Jul 4, 2017 · 2 comments
Labels

Comments

@zyy89
Copy link

zyy89 commented Jul 4, 2017

ImageMagick-7.0.6-0

  ~$identify $FILE or convert $FILE


build instructions:

  ~$ sudo apt-get install imagemagick libmagick++-dev
  ~$ CC="gcc" CFLAGS="-fsanitize=address" ./configure 
  ~$ make;make install

when identify or convert SVG file, imagemagick will cause a heap buffer overflow

=================================================================
==28273==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000008df0 at pc 0x7f193bfe62a7 bp 0x7ffdd3a66b60 sp 0x7ffdd3a66b50
READ of size 1 at 0x603000008df0 thread T0
#0 0x7f193bfe62a6 in GetNextToken MagickCore/token.c:258
#1 0x7f193c1a375e in GetUserSpaceCoordinateValue coders/svg.c:331
#2 0x7f193c1a5767 in SVGStartElement coders/svg.c:936
#3 0x7f1937efdcd0 in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x45cd0)
#4 0x7f1937f0e738 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x56738)
#5 0x7f1937f0f93a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5793a)
#6 0x7f193c1acb75 in ReadSVGImage coders/svg.c:3236
#7 0x7f193bd91c4f in ReadImage MagickCore/constitute.c:497
#8 0x7f193bfdde06 in ReadStream MagickCore/stream.c:1045
#9 0x7f193bd9117c in PingImage MagickCore/constitute.c:226
#10 0x7f193bd915a9 in PingImages MagickCore/constitute.c:327
#11 0x7f193b751a2a in IdentifyImageCommand MagickWand/identify.c:319
#12 0x7f193b7a8c7a in MagickCommandGenesis MagickWand/mogrify.c:183
#13 0x40169a in MagickMain utilities/magick.c:149
#14 0x4017be in main utilities/magick.c:180
#15 0x7f193b02182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x4012c8 in _start (/home/sf/ImageMagick-7.0.6-0/build-gcc/bin/magick+0x4012c8)

The vulnerability is caused when identify SVG image, which happens in function GetNextToken MagickCore/token.c:258, function GetNextToken is called by GetUserSpaceCoordinateValue coders/svg.c:331.
Here is the critical code:

        }
      for ( ; *p != '\0'; p++)    //line 258 of MagickCore/token.c
      {
        if (((isspace((int) ((unsigned char) *p)) != 0) || (*p == '=') ||
            (*p == ',') || (*p == ':') || (*p == ';')) && (*(p-1) != '\\'))
          break;
        if ((i > 0) && (*p == '<'))
          break;
        if (i < (ssize_t) (extent-1))
          token[i++]=(*p);
        if (*p == '>')
          break;
        if (*p == '(')
          for (p++; *p != '\0'; p++)
          {
            if (i < (ssize_t) (extent-1))
              token[i++]=(*p);
            if ((*p == ')') && (*(p-1) != '\\')) //no ')' matched here
              break;
          }
      }

The reason of this heap buffer overflow is when p buffer has no matched ‘(‘ ‘)’characters, the POC’s buffer p here is “"trix( gradielGr74.075998"”, caused the heap buffer overflow read until next ‘\0’ matched. It is possible to disclosing some critical data, such as heap chunk data and even other applications’ private data. I am not sure whether it can be exploited to achieve code execution, maybe it is possible.

####Testcase: https://github.com/zyy89/pocs/blob/master/imagemagick-heap-buffer-overflow-4

@glennrp
Copy link
Contributor

glennrp commented Jul 4, 2017

This testcase doesn't seem to be a MNG. "file" says it's a gzip but gunzip doesn't handle it.

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants