Skip to content

heap buffer overflow in SFWScan #670

Closed
@bestshow

Description

@bestshow

Version: ImageMagick 7.0.6-6 Q16 x86_64

#./magick identify $FILE

When identify SFW file ,a heap buffer overflow vulnerability was found in function ReadSFWImage in coders/sfw.c, Here is the critical code:

  header=SFWScan(buffer,buffer+count-1,(const unsigned char *) //271
    "\377\310\377\320",4);

In function SFWScan:

static unsigned char *SFWScan(const unsigned char *p,const unsigned char *q,
  const unsigned char *target,const size_t length)
{
  register ssize_t
    i;

  if ((p+length) < q)
    while (p < q)
    {
      for (i=0; i < (ssize_t) length; i++)
        if (p[i] != target[i]) // 133  heap buffer overflow
          break;
      if (i == (ssize_t) length)
        return((unsigned char *) p);
      p++;
    }
  return((unsigned char *) NULL);
}

The memory space of the heap buffer "p", is p~q (from p[0] to p[q-p-1]), but in the for-loop of while,the "p[i]" will lead to heap buffer overflow.

testcase: https://github.com/bestshow/p0cs/blob/master/heap_buffer_overflow_in_SFWScan
Credit:ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions