Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow READ in GetImageDepth._omp_fn.2 MagickCore/attribute.c:491 #629

Closed
zhouat opened this issue Jul 29, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@zhouat
Copy link

commented Jul 29, 2017

Poc link: https://github.com/zhouat/poc_IM/blob/master/heap-buffer-overflow-READ-0x0000006869f0_output_json_1501326140.06.fits

Trigger Command:

magick convert heap-buffer-overflow-READ 0x0000006869f0_output_json_1501326140.06.fits output.json

AddressSanitizer output:

heap-buffer-overflow READ json

=================================================================
==13039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000016840 at pc 0x0000006869f0 bp 0x7ffda0c438c0 sp 0x7ffda0c438b0
READ of size 4 at 0x62a000016840 thread T0
    #0 0x6869ef in GetImageDepth._omp_fn.2 MagickCore/attribute.c:491
    #1 0x7f85027a8cbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x682db8 in GetImageDepth MagickCore/attribute.c:446
    #3 0x5565bd in EncodeImageAttributes coders/json.c:919
    #4 0x55ab60 in WriteJSONImage coders/json.c:1616
    #5 0x6fdf32 in WriteImage MagickCore/constitute.c:1114
    #6 0x6feb74 in WriteImages MagickCore/constitute.c:1333
    #7 0x9ef4a5 in ConvertImageCommand MagickWand/convert.c:3280
    #8 0xa16fa0 in MagickCommandGenesis MagickWand/mogrify.c:183
    #9 0x4049c1 in MagickMain utilities/magick.c:149
    #10 0x404ba2 in main utilities/magick.c:180
    #11 0x7f8501cb882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x4044d8 in _start (/ImageMagick/utilities/magick+0x4044d8)

@zhouat zhouat changed the title Heap-buffer-overflow in GetImageDepth._omp_fn.2 MagickCore/attribute.c:491 Heap-buffer-overflow READ in GetImageDepth._omp_fn.2 MagickCore/attribute.c:491 Jul 29, 2017

@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 29, 2017

Unfortunately we cannot reproduce the problem you reported. We're using ImageMagick 7.0.6-4 beta and gcc 7.1.1 with -fsanitize=address enabled:

$ magick convert heap-buffer-overflow-READ-0x0000006869f0_output_json_1501326140.06.fits output.json
$ more output.json
[{
  "image": {
    "name": "output.json",
    "baseName": "heap-buffer-overflow-READ-0x0000006869f0_output_json_1501326140
.06.fits",
    "format": "FITS",
    "formatDescription": "FITS",
    "class": "DirectClass",
...
@bastien-roucaries

This comment has been minimized.

Copy link

commented Aug 2, 2017

reservation open as CVE-2017-11753

@dlemstra

This comment has been minimized.

Copy link
Member

commented Aug 2, 2017

Fixes are 5095363 and ccc71c1. One of the fixes is for the issue reported and the other one is a similar issue at another place in the same method. This is an IM7 only issue.

@dlemstra dlemstra added the bug label Aug 7, 2017

@dlemstra dlemstra closed this Aug 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.