Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-overflow in WriteUILImage() #562

Closed
lcatro opened this issue Jul 16, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@lcatro
Copy link

commented Jul 16, 2017

Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72

Trigger Command : ./magick convert heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72 output.uil

Crash Information :
fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert all_fuzzing_format_2017_7_16_5_13_10/crash/heap-buffer-overflow-READ-0x7fd806e82db2_output_uil_1500210468.72 output.uil

==3160==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00001cbdc at pc 0x7f505478c77d bp 0x7fff1b1513b0 sp 0x7fff1b1513a0
READ of size 1 at 0x62d00001cbdc thread T0
#0 0x7f505478c77c in WriteUILImage coders/uil.c:273
#1 0x7f50542471c6 in WriteImage MagickCore/constitute.c:1114
#2 0x7f5054247e42 in WriteImages MagickCore/constitute.c:1333
#3 0x7f5053a9a3eb in ConvertImageCommand MagickWand/convert.c:3280
#4 0x7f5053b92d98 in MagickCommandGenesis MagickWand/mogrify.c:183
#5 0x4017f1 in MagickMain utilities/magick.c:149
#6 0x4019d2 in main utilities/magick.c:180
#7 0x7f505330782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)

0x62d00001cbdc is located 0 bytes to the right of 34780-byte region [0x62d000014400,0x62d00001cbdc)
allocated by thread T0 here:
#0 0x7f5054ee2602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7f50543eb981 in AcquireMagickMemory MagickCore/memory.c:464
#2 0x7f50543eb9d5 in AcquireQuantumMemory MagickCore/memory.c:537
#3 0x7f505478c2f0 in WriteUILImage coders/uil.c:238
#4 0x7f50542471c6 in WriteImage MagickCore/constitute.c:1114
#5 0x7f5054247e42 in WriteImages MagickCore/constitute.c:1333
#6 0x7f5053a9a3eb in ConvertImageCommand MagickWand/convert.c:3280
#7 0x7f5053b92d98 in MagickCommandGenesis MagickWand/mogrify.c:183
#8 0x4017f1 in MagickMain utilities/magick.c:149
#9 0x4019d2 in main utilities/magick.c:180
#10 0x7f505330782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/uil.c:273 WriteUILImage
Shadow bytes around the buggy address:
0x0c5a7fffb920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffb930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffb940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffb950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffb960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffb970: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c5a7fffb980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffb990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffb9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffb9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffb9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==3160==ABORTING

@dlemstra

This comment has been minimized.

Copy link
Member

commented Jul 16, 2017

Thanks for the report! Can you remove the # 1 and the other ones from your message next time. You are now referencing a couple of issues.

dlemstra pushed a commit that referenced this issue Jul 16, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jul 16, 2017

Cristy
@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 16, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jul 16, 2017

@dlemstra dlemstra closed this Jul 16, 2017

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 26, 2017

This is CVE-2017-11533

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.