Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap buffer overflow in SFWScan #670

Closed
bestshow opened this issue Aug 12, 2017 · 1 comment
Closed

heap buffer overflow in SFWScan #670

bestshow opened this issue Aug 12, 2017 · 1 comment
Labels

Comments

@bestshow
Copy link

Version: ImageMagick 7.0.6-6 Q16 x86_64

#./magick identify $FILE

When identify SFW file ,a heap buffer overflow vulnerability was found in function ReadSFWImage in coders/sfw.c, Here is the critical code:

  header=SFWScan(buffer,buffer+count-1,(const unsigned char *) //271
    "\377\310\377\320",4);

In function SFWScan:

static unsigned char *SFWScan(const unsigned char *p,const unsigned char *q,
  const unsigned char *target,const size_t length)
{
  register ssize_t
    i;

  if ((p+length) < q)
    while (p < q)
    {
      for (i=0; i < (ssize_t) length; i++)
        if (p[i] != target[i]) // 133  heap buffer overflow
          break;
      if (i == (ssize_t) length)
        return((unsigned char *) p);
      p++;
    }
  return((unsigned char *) NULL);
}

The memory space of the heap buffer "p", is p~q (from p[0] to p[q-p-1]), but in the for-loop of while,the "p[i]" will lead to heap buffer overflow.

testcase: https://github.com/bestshow/p0cs/blob/master/heap_buffer_overflow_in_SFWScan
Credit:ADLab of Venustech

@fgeek
Copy link

fgeek commented Aug 23, 2017

Please use CVE-2017-13134 for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants