-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undefined behaviors of casting double
to size_t
in svg, mvg and other coders (recurring bugs of CVE-2022-32546)
#6341
Comments
Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/archive/beta/ by sometime tomorrow. |
7.1.1-10 - 2023-05-21 Commits beta release e31343f carefully crafted image files (TIM2, JPEG) no longer overflow buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of NSFOCUS Security Team) 1061db7 cosmetic bbf3966 Tweaks to devcontainer to also make it possible to run it locally dfb0b6e Switch to regular Ubuntu image instead. b1ea9fe Make sure options are properly quoted to resolve the issue reported in #6338. d31c80d Mark argument as unused. 43e2cb6 possible RCE vulnerability (ImageMagick/ImageMagick#6339) 17c4859 properly cast double to size_t (ImageMagick/ImageMagick#6341) 3d6d98d cosmetic 8ce0403 Fixed MSYS2 build error. f9c9da1 Forgot to save file before commit. 7566fdd Reverted the patch of ImageMagick/ImageMagick#6339. 99b72d8 add caution when enabling pipe support 1ff6dd4 eliminate compiler warning 4873197 do not initialize structures on stack 7c7d2fd Use memset to initialize structures. 68148d5 incompatible function pointer types passing (ImageMagick/ImageMagick#6347) 2fbf938 Fixed Windows build. 3b5d986 release fa1d7e6 7.1.1-9 - 2023-05-14 Merged Add support for Oklab #6309 Commits beta release 0bb7454 Code cleanup of the fuzzers and silence warnings. d636ff4 update autoconf configuration file 699085f framework for magick cache repository coder 46fe429 support digital media repository 0a439ab check for NaN values c5762cc alpha release of the digital media repository coder 1b82a1d eliminate memory leak 514070c bump minimum MagickCache version 6f00ac4 get the width of the main channel d4ac19b Use autoreconf -fiv instead. fb1e259 support meta resource type be401fb The libheif project switched to cmake. 6b76461 account for # channels in image 402c32d Try to add libde265 to the linking to fix the fuzz build. 7410474 ensure blob and meta resource type can make a round trip 3797114 only clone resource image, not blob or meta 7a63f55 Revert changes. f8feb2e Corrected linker flags. 3a1ce45 No longer use HOST_FILLORDER but force the user to specify it when they don't want LSB byte order (#6300). 937d3dd Tiny optimization. ac48d89 Code style changes. 783a78f log gamma 0cf104a rename Oklab to OkLab eb44114 revert afb52e3 cosmetic d35b2ab don't default grayscale to paletted for PNG (ImageMagick/ImageMagick#6314) ac5f29e release 776a88d
CVE-2023-34151 was assigned for this issue. |
@urban-warrior Hello! Recently I have tested presence of CVE-2023-34151 in actual code of ImageMagick and I think that bug was not properly closed. Maybe I am wrong. Please let me know, what do yo think about it. Steps to reproduce. Take vagrant image of debian bookworm from here.
(I imported image of debian bookworm locally with name
Login into VM with ssh:
Update VMs OS apt cache using
See logs of build deps installation here.
(logs of installation of this packages you can see here)
Current commit in my case when I tested:
Then run configure as it was defined in this issue:
You can see configuration logs here.
You can see make logs here.
And finally try to reproduce CVE using
I think, that this output shows that there is no problem with file @urban-warrior, please, let me know, what dou you think about this observation. |
JFYI After 5ab109d error message was little changed, but I think bug remains for mvg:
|
After change like 5ab109d for other casts error transforms but remains:
|
It's interesting, that now, as I understand, problem is here: ImageMagick/MagickCore/image-private.h Line 124 in 58e7ea2
I don't understand how to fix it in right way for now :( |
That range error happens when static inline size_t CastDoubleToUnsigned(const double x)
{
double
value;
if (IsNaN(x) != 0)
{
errno=ERANGE;
return(0);
}
value=floor(x);
if (value > ((double) MAGICK_SIZE_MAX-1))
{
errno=ERANGE;
return((size_t) MAGICK_SIZE_MAX);
}
if (value < 0.0)
{
errno=ERANGE;
return(0);
}
return((size_t) value);
} |
Unfortunately, problem remains after ae164b0 with mvg:
It is still here: ImageMagick/MagickCore/image-private.h Line 134 in ae164b0
|
Using
|
Am I doing something wrong? |
Thank you for reporting the issue. We have successfully reproduced it and are actively working on a patch to resolve it. You can expect this patch to be merged into the main GIT branch, later today. As part of our commitment to quality, this fix will also be included in the upcoming beta releases of ImageMagick by tomorrow. Your patience and feedback are greatly appreciated. |
I'm sorry for anxiety, but problem remains in current master:
I think, the problem with this issue is that is is in closed status. |
This looks like an issue in your build/runtime environment @syominsergey. When stepping through this with a debugger the return value of |
@dlemstra, thank you for your answer! And what environment do you use? Also I noticed, that @urban-warrior here approved that he reproduced the problem and working on it. |
You can simplify my vagrant configuration like this, because you don't need, as I think, to download and import vagrant image from this page manually (I need to do this because of some reasons):
All other steps, I think, will be the same. Number of cpus and memory size, as I think, are also optional and depends on resources you have on your host system. |
We applied patches and can no longer reproduce this in our environment but for some reason this is still in issue on your environment. It's now up to you to debug the application and point out what kind of information we are missing and come up with a patch for this. I would advise you to add some |
@dlemstra, thank you for your answer. |
I might have solved your issue. At least that is what GitHub Copilot is thinking. This was one thing that I didn't use yet and it thinks that you are having issues with the precision limitations of a double. Can you try it again and check if that patch finally resolves the issue in your environment? |
@dlemstra, sorry, what patch do you mean? Where can I get it? |
Oh, understand, maybe you mean this commit? |
Yes, now it looks like bug really was closed!
@dlemstra, thank you! |
Please, let me know - will all these necessary commits be backported to https://github.com/ImageMagick/ImageMagick6 ? |
For now mvg bug is still in https://github.com/ImageMagick/ImageMagick6
|
I saw some previous commits from here were backported to https://github.com/ImageMagick/ImageMagick6, so I decided to ask about possibility to backport all necessary commits into ImageMagick6 to properly close CVE-2022-32546 in that library. |
We cannot reproduce the bitcoin.svg issue you posted. We get
Notice, no run-time exception thrown by UBSAN. |
It is all ok with bitcoin.svg. |
All recent activity here is because of piechart.mvg. |
ASAN + UBSAN enabled, from
No undefined behaviors are thrown. |
@urban-warrior, please let me know - are you checking actual main of ImageMagick6? |
And please let me know: are you using all of these sanitizers as described in current issue?
Not only ASAN + UBSAN. I think float-cast-overflow is also important. The most important in case of current issue. |
I see that now exactly after ImageMagick/ImageMagick6@be15ac9 (I checked this), the problem with mvg is also fixed for ImageMagick6:
@urban-warrior, thank you! |
ImageMagick version
7.1.30-0
Operating system
Linux
Operating system, version and so on
Any
Description
While reviewing historical vulnerabilities, I discovered several similar bugs just like issue #4985 which was later assigned CVE-2022-32546.
The original vulnerability relates to casting a width/height value in
double
tosize_t
orunsigned long
, which denotes columns/rows number in pixels. The issue concerns about PCL format, and the fix (#4986 ) was about PCL only.However, with a CodeQL rule, I am able to find almost the same issues in several other readers
ReadXXXImage
functions, like CAPTION, EMF, LABEL, MVG, PS, PS2, PS3, SVG, WMF. It was easy to construct sample mvg and svg files to trigger these bugs, as shown below.Steps to Reproduce
Prerequisite
configure ImageMagick with UBSAN. If compiled with gcc, specifically turn on
flow-cast-overflow
:Trigger
Use the malformed sample files in the attached zip. The following commands demonstrates the bugs.
Images
samples.zip
Reporter
fullwaywang
The text was updated successfully, but these errors were encountered: