Skip to content

heap buffer overflow in ReadOneMNGImage #542

Closed
@jgj212

Description

@jgj212

Version: ImageMagick 7.0.6-1 Q16 x86_64

$magick identify $FILE

Here is the critical code

        if (memcmp(type,mng_MOVE,4) == 0)  //type can be controlled as it is from file data
          {
            size_t
              first_object,
              last_object;

            /* read MOVE */

            if (length > 3)
            {
              first_object=(p[0] << 8) | p[1];  //fist_object can be controlled as p[...] is from file data  
              last_object=(p[2] << 8) | p[3];   //last_object can be controlled as p[...] is from file data, it's value can reach (65535)
              p+=4;

              for (i=(ssize_t) first_object; i <= (ssize_t) last_object; i++)  
              {
                if (mng_info->exists[i] && !mng_info->frozen[i] &&
                    (p-chunk) < (ssize_t) (length-8))
                  {
                    MngPair
                      new_pair;

                    MngPair
                      old_pair;

                    old_pair.a=mng_info->x_off[i];    //x_off is from struct _MngInfo, 'x_off[MNG_MAX_OBJECTS]', and '#define MNG_MAX_OBJECTS 256'
                    old_pair.b=mng_info->y_off[i];
                    new_pair=mng_read_pair(old_pair,(int) p[0],&p[1]);
                    mng_info->x_off[i]=new_pair.a;
                    mng_info->y_off[i]=new_pair.b;
                  }
              }
            }

            chunk=(unsigned char *) RelinquishMagickMemory(chunk);
            continue;
          }

So a crafted file will cause x_off[i] out-of-bound operation vulnerability.

POC: https://github.com/jgj212/poc/blob/master/heap-mng

Credit: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions