Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-Overflow in GetPixelLuma() MagickCore/pixel-accessor.h #588

Closed
lcatro opened this issue Jul 19, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@lcatro
Copy link

commented Jul 19, 2017

Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/heap-overflow_output_cip_READ_GetPixelLuma

Trigger Command : ./magick convert heap-overflow_output_cip_READ_GetPixelLuma output.cip

Crash Detail :

fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert fuzzdata_2017_7_18_10_57_5/crash/heap-buffer-overflow-READ-0x7f60f211f858_output_cip_1500414418.62 output.cip
=================================================================
==65448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000008c00 at pc 0x7fc9ed7a1858 bp 0x7ffd0c857940 sp 0x7ffd0c857930
READ of size 4 at 0x625000008c00 thread T0
    #0 0x7fc9ed7a1857 in GetPixelLuma MagickCore/pixel-accessor.h:286
    #1 0x7fc9ed7a25bb in WriteCIPImage coders/cip.c:249
    #2 0x7fc9ed3fc22b in WriteImage MagickCore/constitute.c:1114
    #3 0x7fc9ed3fcea7 in WriteImages MagickCore/constitute.c:1333
    #4 0x7fc9ecc4c3bb in ConvertImageCommand MagickWand/convert.c:3280
    #5 0x7fc9ecd44d68 in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x4017f1 in MagickMain utilities/magick.c:149
    #7 0x4019d2 in main utilities/magick.c:180
    #8 0x7fc9ec4b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)

0x625000008c00 is located 0 bytes to the right of 3072-byte region [0x625000008000,0x625000008c00)
allocated by thread T0 here:
    #0 0x7fc9ee0aa076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x7fc9ed5a6d17 in AcquireAlignedMemory MagickCore/memory.c:262
    #2 0x7fc9ed397796 in OpenPixelCache MagickCore/cache.c:3558
    #3 0x7fc9ed38ffd1 in GetImagePixelCache MagickCore/cache.c:1667
    #4 0x7fc9ed39f255 in SyncImagePixelCache MagickCore/cache.c:5257
    #5 0x7fc9ed572a42 in SetImageExtent MagickCore/image.c:2554
    #6 0x7fc9ed9473a2 in ReadTXTImage coders/txt.c:451
    #7 0x7fc9ed3f90cd in ReadImage MagickCore/constitute.c:497
    #8 0x7fc9ed3fb2cc in ReadImages MagickCore/constitute.c:866
    #9 0x7fc9ecbb607d in ConvertImageCommand MagickWand/convert.c:641
    #10 0x7fc9ecd44d68 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017f1 in MagickMain utilities/magick.c:149
    #12 0x4019d2 in main utilities/magick.c:180
    #13 0x7fc9ec4b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:286 GetPixelLuma
Shadow bytes around the buggy address:
  0x0c4a7fff9130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff9180:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==65448==ABORTING
@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 19, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jul 19, 2017

Cristy

@dlemstra dlemstra added the bug label Jul 19, 2017

@dlemstra dlemstra closed this Jul 19, 2017

@lcatro

This comment has been minimized.

Copy link
Author

commented Jul 26, 2017

Hello @mikayla-grace @dlemstra ,this heap-overflow fix incomplete , plaese reproduct my sample file : https://raw.githubusercontent.com/lcatro/Fuzzing-ImageMagick/master/ImageMagick_crash/heap-buffer-overflow-READ-0x7f78da4c320e_output_cip_1501014029.08

fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert heap-buffer-overflow-READ-0x7f78da4c320e_output_cip_1501014029.08 output.cip
=================================================================
==806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60a000044780 at pc 0x7f7ff92c520e bp 0x7ffd7cb1dd60 sp 0x7ffd7cb1dd50
READ of size 4 at 0x60a000044780 thread T0
    #0 0x7f7ff92c520d in GetPixelLuma MagickCore/pixel-accessor.h:284
    #1 0x7f7ff92c520d in WriteCIPImage coders/cip.c:249
    #2 0x7f7ff8f92275 in WriteImage MagickCore/constitute.c:1114
    #3 0x7f7ff8f92f10 in WriteImages MagickCore/constitute.c:1333
    #4 0x7f7ff88de956 in ConvertImageCommand MagickWand/convert.c:3280
    #5 0x7f7ff89a3a6e in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x4016d9 in MagickMain utilities/magick.c:149
    #7 0x7f7ff824a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x401348 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401348)

0x60a000044780 is located 0 bytes to the right of 64-byte region [0x60a000044740,0x60a000044780)
allocated by thread T0 here:
    #0 0x7f7ff9b2f076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x7f7ff90d29d4 in AcquireAlignedMemory MagickCore/memory.c:262

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:284 GetPixelLuma
Shadow bytes around the buggy address:
  0x0c14800008a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c14800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14800008c0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c14800008d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c14800008e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c14800008f0:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1480000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1480000910: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1480000920: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1480000930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1480000940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==806==ABORTING

@dlemstra dlemstra reopened this Jul 26, 2017

@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 26, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jul 26, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jul 26, 2017

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 29, 2017

This CVE-2017-11639

@bastien-roucaries

This comment has been minimized.

@dlemstra dlemstra closed this Aug 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.