when identify or convert SVG file, imagemagick will cause a heap buffer overflow
=================================================================
==28273==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000008df0 at pc 0x7f193bfe62a7 bp 0x7ffdd3a66b60 sp 0x7ffdd3a66b50
READ of size 1 at 0x603000008df0 thread T0
#0 0x7f193bfe62a6 in GetNextToken MagickCore/token.c:258 #1 0x7f193c1a375e in GetUserSpaceCoordinateValue coders/svg.c:331 #2 0x7f193c1a5767 in SVGStartElement coders/svg.c:936 #3 0x7f1937efdcd0 in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x45cd0) #4 0x7f1937f0e738 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x56738) #5 0x7f1937f0f93a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5793a) #6 0x7f193c1acb75 in ReadSVGImage coders/svg.c:3236 #7 0x7f193bd91c4f in ReadImage MagickCore/constitute.c:497 #8 0x7f193bfdde06 in ReadStream MagickCore/stream.c:1045 #9 0x7f193bd9117c in PingImage MagickCore/constitute.c:226 #10 0x7f193bd915a9 in PingImages MagickCore/constitute.c:327 #11 0x7f193b751a2a in IdentifyImageCommand MagickWand/identify.c:319 #12 0x7f193b7a8c7a in MagickCommandGenesis MagickWand/mogrify.c:183 #13 0x40169a in MagickMain utilities/magick.c:149 #14 0x4017be in main utilities/magick.c:180 #15 0x7f193b02182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #16 0x4012c8 in _start (/home/sf/ImageMagick-7.0.6-0/build-gcc/bin/magick+0x4012c8)
The vulnerability is caused when identify SVG image, which happens in function GetNextToken MagickCore/token.c:258, function GetNextToken is called by GetUserSpaceCoordinateValue coders/svg.c:331.
Here is the critical code:
}
for ( ; *p != '\0'; p++) //line 258 of MagickCore/token.c
{
if (((isspace((int) ((unsigned char) *p)) != 0) || (*p == '=') ||
(*p == ',') || (*p == ':') || (*p == ';')) && (*(p-1) != '\\'))
break;
if ((i > 0) && (*p == '<'))
break;
if (i < (ssize_t) (extent-1))
token[i++]=(*p);
if (*p == '>')
break;
if (*p == '(')
for (p++; *p != '\0'; p++)
{
if (i < (ssize_t) (extent-1))
token[i++]=(*p);
if ((*p == ')') && (*(p-1) != '\\')) //no ')' matched here
break;
}
}
The reason of this heap buffer overflow is when p buffer has no matched ‘(‘ ‘)’characters, the POC’s buffer p here is “"trix( gradielGr74.075998"”, caused the heap buffer overflow read until next ‘\0’ matched. It is possible to disclosing some critical data, such as heap chunk data and even other applications’ private data. I am not sure whether it can be exploited to achieve code execution, maybe it is possible.
ImageMagick-7.0.6-0
build instructions:
when identify or convert SVG file, imagemagick will cause a heap buffer overflow
The vulnerability is caused when identify SVG image, which happens in function GetNextToken MagickCore/token.c:258, function GetNextToken is called by GetUserSpaceCoordinateValue coders/svg.c:331.
Here is the critical code:
The reason of this heap buffer overflow is when p buffer has no matched ‘(‘ ‘)’characters, the POC’s buffer p here is “"trix( gradielGr74.075998"”, caused the heap buffer overflow read until next ‘\0’ matched. It is possible to disclosing some critical data, such as heap chunk data and even other applications’ private data. I am not sure whether it can be exploited to achieve code execution, maybe it is possible.
####Testcase: https://github.com/zyy89/pocs/blob/master/imagemagick-heap-buffer-overflow-4
The text was updated successfully, but these errors were encountered: