Undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546)
#6341
Comments
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/archive/beta/ by sometime tomorrow. |
7.1.1-10 - 2023-05-21
Commits
beta release e31343f
carefully crafted image files (TIM2, JPEG) no longer overflow buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of NSFOCUS Security Team) 1061db7
cosmetic bbf3966
Tweaks to devcontainer to also make it possible to run it locally dfb0b6e
Switch to regular Ubuntu image instead. b1ea9fe
Make sure options are properly quoted to resolve the issue reported in #6338. d31c80d
Mark argument as unused. 43e2cb6
possible RCE vulnerability (ImageMagick/ImageMagick#6339) 17c4859
properly cast double to size_t (ImageMagick/ImageMagick#6341) 3d6d98d
cosmetic 8ce0403
Fixed MSYS2 build error. f9c9da1
Forgot to save file before commit. 7566fdd
Reverted the patch of ImageMagick/ImageMagick#6339. 99b72d8
add caution when enabling pipe support 1ff6dd4
eliminate compiler warning 4873197
do not initialize structures on stack 7c7d2fd
Use memset to initialize structures. 68148d5
incompatible function pointer types passing (ImageMagick/ImageMagick#6347) 2fbf938
Fixed Windows build. 3b5d986
release fa1d7e6
7.1.1-9 - 2023-05-14
Merged
Add support for Oklab #6309
Commits
beta release 0bb7454
Code cleanup of the fuzzers and silence warnings. d636ff4
update autoconf configuration file 699085f
framework for magick cache repository coder 46fe429
support digital media repository 0a439ab
check for NaN values c5762cc
alpha release of the digital media repository coder 1b82a1d
eliminate memory leak 514070c
bump minimum MagickCache version 6f00ac4
get the width of the main channel d4ac19b
Use autoreconf -fiv instead. fb1e259
support meta resource type be401fb
The libheif project switched to cmake. 6b76461
account for # channels in image 402c32d
Try to add libde265 to the linking to fix the fuzz build. 7410474
ensure blob and meta resource type can make a round trip 3797114
only clone resource image, not blob or meta 7a63f55
Revert changes. f8feb2e
Corrected linker flags. 3a1ce45
No longer use HOST_FILLORDER but force the user to specify it when they don't want LSB byte order (#6300). 937d3dd
Tiny optimization. ac48d89
Code style changes. 783a78f
log gamma 0cf104a
rename Oklab to OkLab eb44114
revert afb52e3
cosmetic d35b2ab
don't default grayscale to paletted for PNG (ImageMagick/ImageMagick#6314) ac5f29e
release 776a88d
|
CVE-2023-34151 was assigned for this issue. |
|
@urban-warrior Hello! Recently I have tested presence of CVE-2023-34151 in actual code of ImageMagick and I think that bug was not properly closed. Maybe I am wrong. Please let me know, what do yo think about it. Steps to reproduce. Take vagrant image of debian bookworm from here. (I imported image of debian bookworm locally with name Login into VM with ssh: Update VMs OS apt cache using See logs of build deps installation here. (logs of installation of this packages you can see here) Current commit in my case when I tested: Then run configure as it was defined in this issue: You can see configuration logs here. You can see make logs here. And finally try to reproduce CVE using I think, that this output shows that there is no problem with file @urban-warrior, please, let me know, what dou you think about this observation. |
|
JFYI After 5ab109d error message was little changed, but I think bug remains for mvg: |
|
After change like 5ab109d for other casts error transforms but remains: |
|
It's interesting, that now, as I understand, problem is here: ImageMagick/MagickCore/image-private.h Line 124 in 58e7ea2 I don't understand how to fix it in right way for now :( |
|
That range error happens when static inline size_t CastDoubleToUnsigned(const double x)
{
double
value;
if (IsNaN(x) != 0)
{
errno=ERANGE;
return(0);
}
value=floor(x);
if (value > ((double) MAGICK_SIZE_MAX-1))
{
errno=ERANGE;
return((size_t) MAGICK_SIZE_MAX);
}
if (value < 0.0)
{
errno=ERANGE;
return(0);
}
return((size_t) value);
} |
|
Unfortunately, problem remains after ae164b0 with mvg: It is still here: ImageMagick/MagickCore/image-private.h Line 134 in ae164b0 |
|
Using |
|
Am I doing something wrong? |
|
Thank you for reporting the issue. We have successfully reproduced it and are actively working on a patch to resolve it. You can expect this patch to be merged into the main GIT branch, later today. As part of our commitment to quality, this fix will also be included in the upcoming beta releases of ImageMagick by tomorrow. Your patience and feedback are greatly appreciated. |
|
I'm sorry for anxiety, but problem remains in current master: I think, the problem with this issue is that is is in closed status. |
|
This looks like an issue in your build/runtime environment @syominsergey. When stepping through this with a debugger the return value of |
|
@dlemstra, thank you for your answer! And what environment do you use? Also I noticed, that @urban-warrior here approved that he reproduced the problem and working on it. |
|
You can simplify my vagrant configuration like this, because you don't need, as I think, to download and import vagrant image from this page manually (I need to do this because of some reasons): All other steps, I think, will be the same. Number of cpus and memory size, as I think, are also optional and depends on resources you have on your host system. |
|
We applied patches and can no longer reproduce this in our environment but for some reason this is still in issue on your environment. It's now up to you to debug the application and point out what kind of information we are missing and come up with a patch for this. I would advise you to add some |
|
@dlemstra, thank you for your answer. |
|
I might have solved your issue. At least that is what GitHub Copilot is thinking. This was one thing that I didn't use yet and it thinks that you are having issues with the precision limitations of a double. Can you try it again and check if that patch finally resolves the issue in your environment? |
|
@dlemstra, sorry, what patch do you mean? Where can I get it? |
|
I don't see any new commits, so I decided to ask where I can get patch to test. |
|
Oh, understand, maybe you mean this commit? |
|
Yes, now it looks like bug really was closed! @dlemstra, thank you! |
|
Please, let me know - will all these necessary commits be backported to https://github.com/ImageMagick/ImageMagick6 ? |
|
For now mvg bug is still in https://github.com/ImageMagick/ImageMagick6 |
|
I saw some previous commits from here were backported to https://github.com/ImageMagick/ImageMagick6, so I decided to ask about possibility to backport all necessary commits into ImageMagick6 to properly close CVE-2022-32546 in that library. |
|
We cannot reproduce the bitcoin.svg issue you posted. We get Notice, no run-time exception thrown by UBSAN. |
|
It is all ok with bitcoin.svg. |
|
All recent activity here is because of piechart.mvg. |
|
ASAN + UBSAN enabled, from No undefined behaviors are thrown. |
|
@urban-warrior, please let me know - are you checking actual main of ImageMagick6? |
|
And please let me know: are you using all of these sanitizers as described in current issue? Not only ASAN + UBSAN. I think float-cast-overflow is also important. The most important in case of current issue. |
|
I see that now exactly after ImageMagick/ImageMagick6@be15ac9 (I checked this), the problem with mvg is also fixed for ImageMagick6: @urban-warrior, thank you! |
ImageMagick version
7.1.30-0
Operating system
Linux
Operating system, version and so on
Any
Description
While reviewing historical vulnerabilities, I discovered several similar bugs just like issue #4985 which was later assigned CVE-2022-32546.
The original vulnerability relates to casting a width/height value in
doubletosize_torunsigned long, which denotes columns/rows number in pixels. The issue concerns about PCL format, and the fix (#4986 ) was about PCL only.However, with a CodeQL rule, I am able to find almost the same issues in several other readers
ReadXXXImagefunctions, like CAPTION, EMF, LABEL, MVG, PS, PS2, PS3, SVG, WMF. It was easy to construct sample mvg and svg files to trigger these bugs, as shown below.Steps to Reproduce
Prerequisite
configure ImageMagick with UBSAN. If compiled with gcc, specifically turn on
flow-cast-overflow:Trigger
Use the malformed sample files in the attached zip. The following commands demonstrates the bugs.
Images
samples.zip
Reporter
fullwaywang
The text was updated successfully, but these errors were encountered: