Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version: ImageMagick 7.0.6-6 Q16 x86_64
#./magick identify $FILE
When identify SFW file ,a heap buffer overflow vulnerability was found in function ReadSFWImage in coders/sfw.c, Here is the critical code:
header=SFWScan(buffer,buffer+count-1,(const unsigned char *) //271 "\377\310\377\320",4);
In function SFWScan:
static unsigned char *SFWScan(const unsigned char *p,const unsigned char *q, const unsigned char *target,const size_t length) { register ssize_t i; if ((p+length) < q) while (p < q) { for (i=0; i < (ssize_t) length; i++) if (p[i] != target[i]) // 133 heap buffer overflow break; if (i == (ssize_t) length) return((unsigned char *) p); p++; } return((unsigned char *) NULL); }
The memory space of the heap buffer "p", is p~q (from p[0] to p[q-p-1]), but in the for-loop of while,the "p[i]" will lead to heap buffer overflow.
testcase: https://github.com/bestshow/p0cs/blob/master/heap_buffer_overflow_in_SFWScan Credit:ADLab of Venustech
The text was updated successfully, but these errors were encountered:
Fixed buffer overflow reported in #670
5304ae1
1b234b4
Please use CVE-2017-13134 for this issue.
Sorry, something went wrong.
No branches or pull requests
Version: ImageMagick 7.0.6-6 Q16 x86_64
#./magick identify $FILEWhen identify SFW file ,a heap buffer overflow vulnerability was found in function ReadSFWImage in coders/sfw.c, Here is the critical code:
In function SFWScan:
The memory space of the heap buffer "p", is p~q (from p[0] to p[q-p-1]), but in the for-loop of while,the "p[i]" will lead to heap buffer overflow.
testcase: https://github.com/bestshow/p0cs/blob/master/heap_buffer_overflow_in_SFWScan
Credit:ADLab of Venustech
The text was updated successfully, but these errors were encountered: