New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-overflow in GetPixelAlpha() #561
Comments
|
Thanks for the report! Can you remove the # 1 and the other ones from your message next time. You are now referencing a couple of issues. |
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
@lcatro You could just replace every occurrence of # (number) with (number) then you won't reference the issue. |
|
@dlemstra Get your mind . |
Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/heap-buffer-overflow-READ-0x7f58970bcdc4_output_ps_1500207243.43
Trigger Command : ./magick convert heap-buffer-overflow-READ-0x7f58970bcdc4_output_ps_1500207243.43 output.ps
Crash Information :
fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert all_fuzzing_format_2017_7_16_5_13_10/crash/heap-buffer-overflow-READ-0x7f58970bcdc4_output_ps_1500207243.43 output.ps
==61378==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f06a32fedcc at pc 0x7f06aec0f9c2 bp 0x7ffcb67d5a30 sp 0x7ffcb67d5a20
READ of size 4 at 0x7f06a32fedcc thread T0
#0 0x7f06aec0f9c1 in GetPixelAlpha MagickCore/pixel-accessor.h:59
#1 0x7f06aec17ff8 in WritePSImage coders/ps.c:2046
#2 0x7f06ae7491c6 in WriteImage MagickCore/constitute.c:1114
#3 0x7f06ae749e42 in WriteImages MagickCore/constitute.c:1333
#4 0x7f06adf9c3eb in ConvertImageCommand MagickWand/convert.c:3280
#5 0x7f06ae094d98 in MagickCommandGenesis MagickWand/mogrify.c:183
#6 0x4017f1 in MagickMain utilities/magick.c:149
#7 0x4019d2 in main utilities/magick.c:180
#8 0x7f06ad80982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)
0x7f06a32fedcc is located 12 bytes to the right of 556480-byte region [0x7f06a3277000,0x7f06a32fedc0)
allocated by thread T0 here:
#0 0x7f06af3e5076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
#1 0x7f06ae8ed8de in AcquireAlignedMemory MagickCore/memory.c:262
#2 0x7f06ae6e4731 in OpenPixelCache MagickCore/cache.c:3523
#3 0x7f06ae6dd0d1 in GetImagePixelCache MagickCore/cache.c:1667
#4 0x7f06ae6ec1f0 in SyncImagePixelCache MagickCore/cache.c:5222
#5 0x7f06ae8b9609 in SetImageExtent MagickCore/image.c:2554
#6 0x7f06aec53c99 in ReadSGIImage coders/sgi.c:374
#7 0x7f06ae746068 in ReadImage MagickCore/constitute.c:497
#8 0x7f06ae748267 in ReadImages MagickCore/constitute.c:866
#9 0x7f06adf060ad in ConvertImageCommand MagickWand/convert.c:641
#10 0x7f06ae094d98 in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x4017f1 in MagickMain utilities/magick.c:149
#12 0x4019d2 in main utilities/magick.c:180
#13 0x7f06ad80982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:59 GetPixelAlpha
Shadow bytes around the buggy address:
0x0fe154657d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe154657db0: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
0x0fe154657dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==61378==ABORTING
The text was updated successfully, but these errors were encountered: