Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap buffer overflow in ReadOneMNGImage #542

Closed
jgj212 opened this issue Jul 5, 2017 · 5 comments
Closed

heap buffer overflow in ReadOneMNGImage #542

jgj212 opened this issue Jul 5, 2017 · 5 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented Jul 5, 2017

Version: ImageMagick 7.0.6-1 Q16 x86_64

$magick identify $FILE

Here is the critical code

        if (memcmp(type,mng_MOVE,4) == 0)  //type can be controlled as it is from file data
          {
            size_t
              first_object,
              last_object;

            /* read MOVE */

            if (length > 3)
            {
              first_object=(p[0] << 8) | p[1];  //fist_object can be controlled as p[...] is from file data  
              last_object=(p[2] << 8) | p[3];   //last_object can be controlled as p[...] is from file data, it's value can reach (65535)
              p+=4;

              for (i=(ssize_t) first_object; i <= (ssize_t) last_object; i++)  
              {
                if (mng_info->exists[i] && !mng_info->frozen[i] &&
                    (p-chunk) < (ssize_t) (length-8))
                  {
                    MngPair
                      new_pair;

                    MngPair
                      old_pair;

                    old_pair.a=mng_info->x_off[i];    //x_off is from struct _MngInfo, 'x_off[MNG_MAX_OBJECTS]', and '#define MNG_MAX_OBJECTS 256'
                    old_pair.b=mng_info->y_off[i];
                    new_pair=mng_read_pair(old_pair,(int) p[0],&p[1]);
                    mng_info->x_off[i]=new_pair.a;
                    mng_info->y_off[i]=new_pair.b;
                  }
              }
            }

            chunk=(unsigned char *) RelinquishMagickMemory(chunk);
            continue;
          }

So a crafted file will cause x_off[i] out-of-bound operation vulnerability.

POC: https://github.com/jgj212/poc/blob/master/heap-mng

Credit: ADLab of Venustech

@attritionorg
Copy link

Out-of-bounds READ or WRITE? Can you provide the ASAN output please?

@jgj212
Copy link
Contributor Author

jgj212 commented Jul 6, 2017

@attritionorg out-of-bounds read

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@glennrp
Copy link
Contributor

glennrp commented Jul 10, 2017

The same vulnerability existed with the CLIP chunk. I've checked in a fix.
See commit d072ed6

@nohmask
Copy link

nohmask commented Sep 8, 2017

This was assigned CVE-2017-12640.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

6 participants