Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-overflow in GetPixelAlpha() #561

Closed
lcatro opened this issue Jul 16, 2017 · 6 comments

Comments

Projects
None yet
4 participants
@lcatro
Copy link

commented Jul 16, 2017

Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/heap-buffer-overflow-READ-0x7f58970bcdc4_output_ps_1500207243.43

Trigger Command : ./magick convert heap-buffer-overflow-READ-0x7f58970bcdc4_output_ps_1500207243.43 output.ps

Crash Information :
fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert all_fuzzing_format_2017_7_16_5_13_10/crash/heap-buffer-overflow-READ-0x7f58970bcdc4_output_ps_1500207243.43 output.ps

==61378==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f06a32fedcc at pc 0x7f06aec0f9c2 bp 0x7ffcb67d5a30 sp 0x7ffcb67d5a20
READ of size 4 at 0x7f06a32fedcc thread T0
#0 0x7f06aec0f9c1 in GetPixelAlpha MagickCore/pixel-accessor.h:59
#1 0x7f06aec17ff8 in WritePSImage coders/ps.c:2046
#2 0x7f06ae7491c6 in WriteImage MagickCore/constitute.c:1114
#3 0x7f06ae749e42 in WriteImages MagickCore/constitute.c:1333
#4 0x7f06adf9c3eb in ConvertImageCommand MagickWand/convert.c:3280
#5 0x7f06ae094d98 in MagickCommandGenesis MagickWand/mogrify.c:183
#6 0x4017f1 in MagickMain utilities/magick.c:149
#7 0x4019d2 in main utilities/magick.c:180
#8 0x7f06ad80982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)

0x7f06a32fedcc is located 12 bytes to the right of 556480-byte region [0x7f06a3277000,0x7f06a32fedc0)
allocated by thread T0 here:
#0 0x7f06af3e5076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
#1 0x7f06ae8ed8de in AcquireAlignedMemory MagickCore/memory.c:262
#2 0x7f06ae6e4731 in OpenPixelCache MagickCore/cache.c:3523
#3 0x7f06ae6dd0d1 in GetImagePixelCache MagickCore/cache.c:1667
#4 0x7f06ae6ec1f0 in SyncImagePixelCache MagickCore/cache.c:5222
#5 0x7f06ae8b9609 in SetImageExtent MagickCore/image.c:2554
#6 0x7f06aec53c99 in ReadSGIImage coders/sgi.c:374
#7 0x7f06ae746068 in ReadImage MagickCore/constitute.c:497
#8 0x7f06ae748267 in ReadImages MagickCore/constitute.c:866
#9 0x7f06adf060ad in ConvertImageCommand MagickWand/convert.c:641
#10 0x7f06ae094d98 in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x4017f1 in MagickMain utilities/magick.c:149
#12 0x4019d2 in main utilities/magick.c:180
#13 0x7f06ad80982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:59 GetPixelAlpha
Shadow bytes around the buggy address:
0x0fe154657d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe154657da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe154657db0: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
0x0fe154657dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe154657e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==61378==ABORTING

@dlemstra

This comment has been minimized.

Copy link
Member

commented Jul 16, 2017

Thanks for the report! Can you remove the # 1 and the other ones from your message next time. You are now referencing a couple of issues.

@lcatro

This comment has been minimized.

Copy link
Author

commented Jul 16, 2017

@dlemstra Hello dlemstra , is #1 stack trace information ?

@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 16, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra

This comment has been minimized.

Copy link
Member

commented Jul 16, 2017

@lcatro You could just replace every occurrence of # (number) with (number) then you won't reference the issue.

dlemstra pushed a commit that referenced this issue Jul 16, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jul 16, 2017

Cristy
@lcatro

This comment has been minimized.

Copy link
Author

commented Jul 16, 2017

@dlemstra Get your mind .

@dlemstra dlemstra added the bug label Jul 16, 2017

@dlemstra dlemstra closed this Jul 16, 2017

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.