Closed
Description
Crash Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/heap-overflow_output_cip_READ_GetPixelLuma
Trigger Command : ./magick convert heap-overflow_output_cip_READ_GetPixelLuma output.cip
Crash Detail :
fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert fuzzdata_2017_7_18_10_57_5/crash/heap-buffer-overflow-READ-0x7f60f211f858_output_cip_1500414418.62 output.cip
=================================================================
==65448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000008c00 at pc 0x7fc9ed7a1858 bp 0x7ffd0c857940 sp 0x7ffd0c857930
READ of size 4 at 0x625000008c00 thread T0
#0 0x7fc9ed7a1857 in GetPixelLuma MagickCore/pixel-accessor.h:286
#1 0x7fc9ed7a25bb in WriteCIPImage coders/cip.c:249
#2 0x7fc9ed3fc22b in WriteImage MagickCore/constitute.c:1114
#3 0x7fc9ed3fcea7 in WriteImages MagickCore/constitute.c:1333
#4 0x7fc9ecc4c3bb in ConvertImageCommand MagickWand/convert.c:3280
#5 0x7fc9ecd44d68 in MagickCommandGenesis MagickWand/mogrify.c:183
#6 0x4017f1 in MagickMain utilities/magick.c:149
#7 0x4019d2 in main utilities/magick.c:180
#8 0x7fc9ec4b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x401308 in _start (/home/fuzzing/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x401308)
0x625000008c00 is located 0 bytes to the right of 3072-byte region [0x625000008000,0x625000008c00)
allocated by thread T0 here:
#0 0x7fc9ee0aa076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
#1 0x7fc9ed5a6d17 in AcquireAlignedMemory MagickCore/memory.c:262
#2 0x7fc9ed397796 in OpenPixelCache MagickCore/cache.c:3558
#3 0x7fc9ed38ffd1 in GetImagePixelCache MagickCore/cache.c:1667
#4 0x7fc9ed39f255 in SyncImagePixelCache MagickCore/cache.c:5257
#5 0x7fc9ed572a42 in SetImageExtent MagickCore/image.c:2554
#6 0x7fc9ed9473a2 in ReadTXTImage coders/txt.c:451
#7 0x7fc9ed3f90cd in ReadImage MagickCore/constitute.c:497
#8 0x7fc9ed3fb2cc in ReadImages MagickCore/constitute.c:866
#9 0x7fc9ecbb607d in ConvertImageCommand MagickWand/convert.c:641
#10 0x7fc9ecd44d68 in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x4017f1 in MagickMain utilities/magick.c:149
#12 0x4019d2 in main utilities/magick.c:180
#13 0x7fc9ec4b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/pixel-accessor.h:286 GetPixelLuma
Shadow bytes around the buggy address:
0x0c4a7fff9130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff9180:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==65448==ABORTING