Null-Point reference in WriteOnePNGImage #586

lcatro · 2017-07-18T18:31:46Z

Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/SEGV_output_mng_WriteOnePNGImage

Trigger Command : ./magick convert SEGV_output_mng_WriteOnePNGImage output.mng

Crash Detail :

fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert graphicsmagick_fuzzing/SEGV-0x000000000000_output_mng_1500402017.82 output.mng
ASAN:SIGSEGV
=================================================================
==56607==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3ea2329122 bp 0x7ffdd59968d0 sp 0x7ffdd597f460 T0)
    #0 0x7f3ea2329121 in WriteOnePNGImage coders/png.c:8494
    #1 0x7f3ea2349eba in WriteMNGImage coders/png.c:14027
    #2 0x7f3ea1d6022b in WriteImage MagickCore/constitute.c:1114
    #3 0x7f3ea1d60ea7 in WriteImages MagickCore/constitute.c:1333
    #4 0x7f3ea15b03bb in ConvertImageCommand MagickWand/convert.c:3280
    #5 0x7f3ea16a8d68 in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x4017f1 in MagickMain utilities/magick.c:149
    #7 0x4019d2 in main utilities/magick.c:180
    #8 0x7f3ea0e1d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/png.c:8494 WriteOnePNGImage
==56607==ABORTING

The text was updated successfully, but these errors were encountered:

mikayla-grace · 2017-07-18T22:15:29Z

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

bastien-roucaries · 2017-07-19T16:13:57Z

Did you opened a CVE ?

lcatro · 2017-07-19T16:29:49Z

@bastien-roucaries no , is that you found too ?

bastien-roucaries · 2017-07-21T15:32:15Z

magick team could you point the commit (v7 and v6).

bastien-roucaries · 2017-07-21T15:32:40Z

cve should be opened here : https://cveform.mitre.org/

lcatro · 2017-07-21T18:10:31Z

@bastien-roucaries im found these bug in V7.0.6-1 that is the master branch code .
and i had try apply CVE but they have not give me anynews .

attritionorg · 2017-07-22T18:38:34Z

816ecab Imagine that is it and a typo on the bug number.

carnil · 2017-07-23T05:12:35Z

This issue has been assigned CVE-2017-11522

dlemstra · 2017-07-25T12:32:23Z

@attritionorg The IM7 commit is: 816ecab. There is no IM6 commit because this is an IM7 only issue.

Changelog: 2017-09-03 6.9.9-11 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-11, GIT revision 11969:a12fbb873:20170903. 2017-08-28 6.9.9-11 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * Don't overwrite symbolic links when the shred policy is enabled. 2017-08-27 6.9.9-10 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-10, GIT revision 11936:a8112a821:20170827. 2017-08-26 6.9.9-10 Dirk Lemstra <dirk@lem.....org> * Fixed thread safety issue inside the pango and librsvg decoder (reference: dlemstra/Magick.NET#91). 2017-08-20 6.9.9-9 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-9, GIT revision 11915:5205bda17:20170820. 2017-08-18 6.6.9-9 Glenn Randers-Pehrson <glennrp@image...> * Fixed bug with writing tIME chunk when timezone has a negative offset (reference: ImageMagick/ImageMagick#685). 2017-08-18 6.9.9-8 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-8, GIT revision 11906:26078285f:20170818. 2017-08-18 6.9.9-8 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-08-12 6.9.9-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-7, GIT revision 11893:8c4c56a0e:20170812 (Windows binaries out of sync). 2017-08-10 6.9.9-6 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-6, GIT revision 11886:af2b102db:20170810. 2017-08-10 6.9.9-6 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-08-10 6.9.9-6 Glenn Randers-Pehrson <glennrp@image...> * tests/validate.c: Show the reason for failures in the test logs, if available. 2017-08-03 6.9.9-6 Glenn Randers-Pehrson <glennrp@image...> * Put UTC time in the PNG tIME chunk instead of local time (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32447). 2017-08-02 6.9.9-5 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-5, GIT revision 11858:7a555e53f:20170802. 2017-08-01 6.9.9-5 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-07-29 6.9.9-5 Glenn Randers-Pehrson <glennrp@image...> * Properly set image->colorspace in the PNG decoder (previously it was setting image->gamma, but only setting image->colorspace for grayscale and gray-alpha images. Reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32418). * Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference ImageMagick/ImageMagick#632). 2017-07-29 6.9.9-5 Cristy <quetzlzacatenango@image...> * Off by one error for gradient coder (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32416). 2017-07-28 6.9.9-4 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-4, GIT revision 11833:4e81160d6:20170728. 2017-07-25 6.9.9-4 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * coders/png.c: Initialized quantum_scanline to prevent a bad free (reference ImageMagick/ImageMagick#621). 2017-07-24 6.9.9-4 Glenn Randers-Pehrson <glennrp@image...> * Removed write_chunk_from_profile() from coders/png.c because it has not worked at least since version 6.7.6. * Removed many redundant checks before RelinquishMagickMemory(), which is safe to call with a NULL argument. * Removed vpAg chunk write support (we are now writing caNv instead). * coders/png.c: Initialized quantum_info to prevent memory leakage (reference ImageMagick/ImageMagick#582, CVE-2017-11539). * coders/png.c: fixed NULL dereference when trying to write an empty MNG (CVE-2017-11522, reference ImageMagick/ImageMagick#586). 2017-07-24 6.9.9-3 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-3, GIT revision 11809:2bd88257b:20170724. 2017-07-23 6.9.9-3 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-07-23 6.9.9-3 Glenn Randers-Pehrson <glennrp@image...> * Fix memory leaks when reading a malformed JNG image: ImageMagick/ImageMagick#600). ImageMagick/ImageMagick#602). 2017-07-22 6.9.9-2 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-2, GIT revision 11786:21b23bf09:20170722. 2017-07-22 6.9.9-2 Cristy <quetzlzacatenango@image...> * composite -dissolve works again reference ImageMagick/ImageMagick#597). 2017-07-21 6.9.9-1 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-1, GIT revision 11782:75f7e994e:20170721. 2017-07-19 6.9.9-1 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-07-15 6.9.9-1 Glenn Randers-Pehrson <glennrp@image...> * Don't write a hex-encoded Exif profile when writing the eXIf chunk. * Added caNv, eXIf, and pHYs to the list of PNG chunks to be removed by the "-strip" option. 2017-07-15 6.9.9-0 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.9-0, GIT revision 11738:8903861b2:20170715. 2017-07-13 6.9.9-0 Glenn Randers-Pehrson <glennrp@image...> * Implemented PNG eXIf chunk support. 2017-07-08 6.9.9-0 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * Don't use variable float_t / double_t, bump SO (reference ImageMagick/ImageMagick#510). * Support DNG images with libraw delegate library.

2017-09-11 7.0.7-2 Glenn Randers-Pehrson <glennrp@image...> * Use signed integer arithmetic to caluculate timezone corrections (reference ImageMagick/ImageMagick#685). 2017-09-09 7.0.7-1 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.7-1, GIT revision 21065:ab2194121:20170909. 2017-09-09 7.0.7-1 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-09-05 7.0.7-1 Dirk Lemstra <dirk@lem.....org> * Added -define tiff:write-layers=true to add support for writing layered tiff files. 2017-09-03 7.0.7-0 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.7-0, GIT revision 20996:2f8ac2203:20170903. 2017-08-28 7.0.7-0 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * Don't overwrite symbolic links when the shred policy is enabled. 2017-08-27 7.0.6-10 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-10, GIT revision 20920:9940c367a:20170827. 2017-08-27 7.0.6-10 Cristy <quetzlzacatenango@image...> * Support -metric ssim, structual similarity index. 2017-08-26 7.0.6-10 Dirk Lemstra <dirk@lem.....org> * Fixed thread safety issue inside the pango and librsvg decoder (reference: dlemstra/Magick.NET#91). 2017-08-20 7.0.6-9 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-9, GIT revision 20860:3f307d8ad:20170820. 2017-08-18 7.0.6-9 Glenn Randers-Pehrson <glennrp@image...> * Fixed bug with writing tIME chunk when timezone has a negative offset (reference: ImageMagick/ImageMagick#685) 2017-08-18 7.0.6-8 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-8, GIT revision 20838:e2eb79427:20170818. 2017-08-14 7.0.6-7 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * Support CubicSpline resize filter. Define the lobes with the -define filter:lobes={2,3,4} (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=32506). * Prevent assertion failure when creating PDF thumbnail (reference ImageMagick/ImageMagick#674). 2017-08-12 7.0.6-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-7, GIT revision 20799:0db4d8a16:20170812. 2017-08-12 7.0.6-7 Cristy <quetzlzacatenango@image...> * Improve EPS aliasing (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32497). 2017-08-11 7.0.6-7 Dirk Lemstra <dirk@lem.....org> * Added a new option called 'dds:fast-mipmaps' (reference ImageMagick/ImageMagick#558) * The mipmaps of a dds image can now be created from a list of images with -define dds:mipmaps=fromlist (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=30236). 2017-08-10 7.0.6-6 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-6, GIT revision 20775:061d0fa25:20170810. 2017-08-10 7.0.6-6 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-08-10 7.0.6-6 Glenn Randers-Pehrson <glennrp@image...> * tests/validate.c: Show the reason for failures in the test logs, if available. 2017-08-03 7.0.6-6 Glenn Randers-Pehrson <glennrp@image...> * Put UTC time in the PNG tIME chunk instead of local time (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32447). 2017-08-02 7.0.6-5 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-5, GIT revision 20715:26b28d50a:20170802. 2017-08-01 7.0.6-5 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-07-29 7.0.6-5 Glenn Randers-Pehrson <glennrp@image...> * Properly set image->colorspace in the PNG decoder (previously it was setting image->gamma, but only setting image->colorspace for grayscale and gray-alpha images. Reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32418). * Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference ImageMagick/ImageMagick#632). * Added "-define png:ignore-crc" option to PNG decoder. When you know your image has no CRC or ADLER32 errors, this can speed up decoding. It is also helpful in debugging bug reports from "fuzzers". 2017-07-29 7.0.6-5 Cristy <quetzlzacatenango@image...> * Off by one error for gradient coder (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32416), ImageMagick/ImageMagick#612). 2017-07-28 7.0.6-4 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-4, GIT revision 20657:4e81160d6:20170728. 2017-07-24 7.0.6-4 Cristy <quetzlzacatenango@image...> * YUV coder no longer renders streaks (reference ImageMagick/ImageMagick#612). * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues) including ImageMagick/ImageMagick#618 (CVE-2017-12676). * coders/png.c: Initialized quantum_scanline and quantum_info to prevent a bad free (reference ImageMagick/ImageMagick#621). 2017-07-25 7.0.6-4 Glenn Randers-Pehrson <glennrp@image...> * Removed write_chunk_from_profile() from coders/png.c because it has not worked at least since version 6.7.6. * Removed many redundant checks before RelinquishMagickMemory(), which is safe to call with a NULL argument. * Added experimental PNG orNT chunk, to store image->orientation. * Removed vpAg chunk write support (we are now writing caNv instead). 2017-07-24 7.0.6-3 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-3, GIT revision 20598:cc9c43b44:20170724. 2017-07-23 7.0.6-3 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). 2017-07-23 7.0.6-3 Glenn Randers-Pehrson <glennrp@image...> * Fix memory leaks when reading a malformed JNG image: ImageMagick/ImageMagick#600 (CVE-2017-13141), ImageMagick/ImageMagick#602 (CVE-2017-12565). 2017-07-21 7.0.6-2 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-2, GIT revision 20549:62fcf3d96:20170721. 2017-07-19 7.0.6-2 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * The -monochrome option no longer returns a blank canvas (reference ImageMagick/ImageMagick#594). * coders/png.c: fixed memory leak of quantum_info (CVE-2017-11539, reference ImageMagick/ImageMagick#582 * coders/png.c: fixed NULL dereference when trying to write an empty MNG (CVE-2017-11522, reference ImageMagick/ImageMagick#586). 2017-07-15 7.0.6-2 Glenn Randers-Pehrson <glennrp@image...> * Added caNv, eXIf, and pHYs to the list of PNG chunks to be removed by the "-strip" option. 2017-07-15 7.0.6-1 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 7.0.6-1, GIT revision 20447:c2a315e10:20170715. 2017-07-13 7.0.6-1 Glenn Randers-Pehrson <glennrp@image...> * Implemented PNG eXIf chunk support. 2017-07-08 7.0.6-1 Cristy <quetzlzacatenango@image...> * Support new -auto-threshold option. OTSU and Triangle methods are currently supported. Look for the Kapur method in the next release. * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues). * Don't use variable float_t / double_t, bump SO (reference ImageMagick/ImageMagick#510). * Support DNG images with libraw delegate library. 2017-07-02 7.0.6-1 Glenn Randers-Pehrson <glennrp@image...> * Reject PNG file that is too small (under 60 bytes) to contain a valid image. * Reject JPEG file that is too small (under 107 bytes) to contain a valid image. * Reject JNG file that is too small (under 147 bytes) to contain a valid image. 2017-06-22 7.0.6-1 Glenn Randers-Pehrson <glennrp@image...> * Stop a memory leak in read_user_chunk_callback() (reference ImageMagick/ImageMagick#517, CVE 2017-11310).

Quoting CVE-related issues from https://github.com/ImageMagick/ImageMagick/blob/master/ChangeLog 2017-07-29 7.0.6-5 Glenn Randers-Pehrson <glennrp@image...> * Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference ImageMagick/ImageMagick#632). 2017-07-24 7.0.6-4 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues) including ImageMagick/ImageMagick#618 (CVE-2017-12676). 2017-07-23 7.0.6-3 Glenn Randers-Pehrson <glennrp@image...> * Fix memory leaks when reading a malformed JNG image: ImageMagick/ImageMagick#600 (CVE-2017-13141), ImageMagick/ImageMagick#602 (CVE-2017-12565). 2017-07-19 7.0.6-2 Cristy <quetzlzacatenango@image...> * coders/png.c: fixed memory leak of quantum_info (CVE-2017-11539, reference ImageMagick/ImageMagick#582 * coders/png.c: fixed NULL dereference when trying to write an empty MNG (CVE-2017-11522, reference ImageMagick/ImageMagick#586). 2017-06-22 7.0.6-1 Glenn Randers-Pehrson <glennrp@image...> * Stop a memory leak in read_user_chunk_callback() (reference ImageMagick/ImageMagick#517, CVE 2017-11310). Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

Quoting CVE-related issues from https://github.com/ImageMagick/ImageMagick/blob/master/ChangeLog 2017-07-29 7.0.6-5 Glenn Randers-Pehrson <glennrp@image...> * Fix improper use of NULL in the JNG decoder (CVE-2017-11750, Reference ImageMagick/ImageMagick#632). 2017-07-24 7.0.6-4 Cristy <quetzlzacatenango@image...> * Fixed numerous memory leaks (reference https://github.com/ImageMagick/ImageMagick/issues) including ImageMagick/ImageMagick#618 (CVE-2017-12676). 2017-07-23 7.0.6-3 Glenn Randers-Pehrson <glennrp@image...> * Fix memory leaks when reading a malformed JNG image: ImageMagick/ImageMagick#600 (CVE-2017-13141), ImageMagick/ImageMagick#602 (CVE-2017-12565). 2017-07-19 7.0.6-2 Cristy <quetzlzacatenango@image...> * coders/png.c: fixed memory leak of quantum_info (CVE-2017-11539, reference ImageMagick/ImageMagick#582 * coders/png.c: fixed NULL dereference when trying to write an empty MNG (CVE-2017-11522, reference ImageMagick/ImageMagick#586). 2017-06-22 7.0.6-1 Glenn Randers-Pehrson <glennrp@image...> * Stop a memory leak in read_user_chunk_callback() (reference ImageMagick/ImageMagick#517, CVE 2017-11310). Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 1cf1b98) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

dlemstra closed this as completed Jul 25, 2017

dlemstra added the bug label Jul 25, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Null-Point reference in WriteOnePNGImage #586

Null-Point reference in WriteOnePNGImage #586

lcatro commented Jul 18, 2017

mikayla-grace commented Jul 18, 2017

bastien-roucaries commented Jul 19, 2017

lcatro commented Jul 19, 2017

bastien-roucaries commented Jul 21, 2017

bastien-roucaries commented Jul 21, 2017

lcatro commented Jul 21, 2017

attritionorg commented Jul 22, 2017

carnil commented Jul 23, 2017

dlemstra commented Jul 25, 2017

Null-Point reference in WriteOnePNGImage #586

Null-Point reference in WriteOnePNGImage #586

Comments

lcatro commented Jul 18, 2017

mikayla-grace commented Jul 18, 2017

bastien-roucaries commented Jul 19, 2017

lcatro commented Jul 19, 2017

bastien-roucaries commented Jul 21, 2017

bastien-roucaries commented Jul 21, 2017

lcatro commented Jul 21, 2017

attritionorg commented Jul 22, 2017

carnil commented Jul 23, 2017

dlemstra commented Jul 25, 2017