Skip to content

Heap buffer overflow in ReadSFWImage #682

Closed
@whiteHat001

Description

@whiteHat001

zhihua.yao@dbappsecurity.com.cn

root@ubuntu:/home/hjy/Desktop# convert heap-buffer-overflow_ReadSFWImage /de/vnull
=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5111fd0 at pc 0x80e5ce9 bp 0xbf9aee18 sp 0xbf9aee0c
WRITE of size 1 at 0xb5111fd0 thread T0
    #0 0x80e5ce8 in CopyMagickMemory MagickCore/memory.c:744
    #1 0x85a30a7 in ReadSFWImage coders/sfw.c:279
    #2 0x8892bf8 in ReadImage MagickCore/constitute.c:497
    #3 0x8896470 in ReadImages MagickCore/constitute.c:866
    #4 0x8e99eb8 in ConvertImageCommand MagickWand/convert.c:641
    #5 0x8fa28f1 in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x80749e6 in MagickMain utilities/magick.c:149
    #7 0x80556da in main utilities/magick.c:180
    #8 0xb6df9a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #9 0x80740ea (/usr/local/bin/magick+0x80740ea)

0xb5111fd0 is located 0 bytes to the right of 32-byte region [0xb5111fb0,0xb5111fd0)
allocated by thread T0 here:
    #0 0xb728788a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x85a2df2 in ReadSFWImage coders/sfw.c:255
    #2 0x8892bf8 in ReadImage MagickCore/constitute.c:497
    #3 0x8896470 in ReadImages MagickCore/constitute.c:866
    #4 0x8e99eb8 in ConvertImageCommand MagickWand/convert.c:641
    #5 0x8fa28f1 in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x80749e6 in MagickMain utilities/magick.c:149
    #7 0x80556da in main utilities/magick.c:180
    #8 0xb6df9a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/memory.c:744 CopyMagickMemory
Shadow bytes around the buggy address:
  0x36a223a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a223b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a223c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a223d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a223e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a223f0: fa fa fa fa fa fa 00 00 00 00[fa]fa fd fd fd fd
  0x36a22400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a22410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a22420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a22430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a22440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11164==ABORTING
root@ubuntu:/home/hjy/Desktop# magick --version
Version: ImageMagick 7.0.6-8 Q16 i686 2017-08-18 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP 
Delegates (built-in): jng jpeg png xml zlib

My platform is ubuntu x86.

POC https://github.com/whiteHat001/FUZZ_POC/blob/master/heap-buffer-overflow_ReadSFWImage

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions