Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-Overflow in GetPixelIndex() MagickCore/pixel-accessor.h #581

Closed
lcatro opened this issue Jul 18, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@lcatro
Copy link

commented Jul 18, 2017

Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/heap-overflow_output_picon_READ_GetPixelIndex

Trigger Command : ./magick convert heap-overflow_output_picon_READ_GetPixelIndex output.picon

Crash Detail :

fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert heap-overflow_output_picon_READ_GetPixelIndex output.picon
=================================================================
==43957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000017a88 at pc 0x7f298fbefc28 bp 0x7fff46d63780 sp 0x7fff46d63770
READ of size 4 at 0x61d000017a88 thread T0
    #0 0x7f298fbefc27 in GetPixelIndex MagickCore/pixel-accessor.h:191
    #1 0x7f298fbf3eea in WritePICONImage coders/xpm.c:819
    #2 0x7f298f68122b in WriteImage MagickCore/constitute.c:1114
    #3 0x7f298f681ea7 in WriteImages MagickCore/constitute.c:1333
    #4 0x7f298eed13bb in ConvertImageCommand MagickWand/convert.c:3280
    #5 0x7f298efc9d68 in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x4017f1 in MagickMain utilities/magick.c:149
    #7 0x4019d2 in main utilities/magick.c:180
    #8 0x7f298e73e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)

0x61d000017a88 is located 8 bytes to the right of 2048-byte region [0x61d000017280,0x61d000017a80)
allocated by thread T0 here:
    #0 0x7f299032e076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x7f298f82bd17 in AcquireAlignedMemory MagickCore/memory.c:262
    #2 0x7f298f61c796 in OpenPixelCache MagickCore/cache.c:3558
    #3 0x7f298f614fd1 in GetImagePixelCache MagickCore/cache.c:1667
    #4 0x7f298f624255 in SyncImagePixelCache MagickCore/cache.c:5257
    #5 0x7f298f64ba94 in SetImageGray MagickCore/colorspace.c:1182
    #6 0x7f298f8af8a5 in QuantizeImage MagickCore/quantize.c:2668
    #7 0x7f298f8a9604 in CompressImageColormap MagickCore/quantize.c:1203
    #8 0x7f298fbf3113 in WritePICONImage coders/xpm.c:701
    #9 0x7f298f68122b in WriteImage MagickCore/constitute.c:1114
    #10 0x7f298f681ea7 in WriteImages MagickCore/constitute.c:1333
    #11 0x7f298eed13bb in ConvertImageCommand MagickWand/convert.c:3280
    #12 0x7f298efc9d68 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x4017f1 in MagickMain utilities/magick.c:149
    #14 0x4019d2 in main utilities/magick.c:180
    #15 0x7f298e73e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:191 GetPixelIndex
Shadow bytes around the buggy address:
  0x0c3a7fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffaf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffaf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffaf50: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffaf90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffafa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==43957==ABORTING
@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 18, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jul 18, 2017

Cristy

@dlemstra dlemstra added the bug label Jul 18, 2017

@dlemstra dlemstra closed this Jul 18, 2017

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 26, 2017

I do not see the v6 commit. Does it affect V6 ? If so could you give me the commit ?

@dlemstra

This comment has been minimized.

Copy link
Member

commented Jul 27, 2017

This is an IM7 only issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.