Closed
Description
zhihua.yao@dbappsecurity.com.cn
root@ubuntu:/home/hjy/Desktop# convert heap-buffer-overflow_ReadSFWImage /de/vnull
=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5111fd0 at pc 0x80e5ce9 bp 0xbf9aee18 sp 0xbf9aee0c
WRITE of size 1 at 0xb5111fd0 thread T0
#0 0x80e5ce8 in CopyMagickMemory MagickCore/memory.c:744
#1 0x85a30a7 in ReadSFWImage coders/sfw.c:279
#2 0x8892bf8 in ReadImage MagickCore/constitute.c:497
#3 0x8896470 in ReadImages MagickCore/constitute.c:866
#4 0x8e99eb8 in ConvertImageCommand MagickWand/convert.c:641
#5 0x8fa28f1 in MagickCommandGenesis MagickWand/mogrify.c:183
#6 0x80749e6 in MagickMain utilities/magick.c:149
#7 0x80556da in main utilities/magick.c:180
#8 0xb6df9a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#9 0x80740ea (/usr/local/bin/magick+0x80740ea)
0xb5111fd0 is located 0 bytes to the right of 32-byte region [0xb5111fb0,0xb5111fd0)
allocated by thread T0 here:
#0 0xb728788a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
#1 0x85a2df2 in ReadSFWImage coders/sfw.c:255
#2 0x8892bf8 in ReadImage MagickCore/constitute.c:497
#3 0x8896470 in ReadImages MagickCore/constitute.c:866
#4 0x8e99eb8 in ConvertImageCommand MagickWand/convert.c:641
#5 0x8fa28f1 in MagickCommandGenesis MagickWand/mogrify.c:183
#6 0x80749e6 in MagickMain utilities/magick.c:149
#7 0x80556da in main utilities/magick.c:180
#8 0xb6df9a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/memory.c:744 CopyMagickMemory
Shadow bytes around the buggy address:
0x36a223a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a223b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a223c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a223d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a223e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a223f0: fa fa fa fa fa fa 00 00 00 00[fa]fa fd fd fd fd
0x36a22400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a22410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a22420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a22430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a22440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==11164==ABORTING
root@ubuntu:/home/hjy/Desktop# magick --version
Version: ImageMagick 7.0.6-8 Q16 i686 2017-08-18 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): jng jpeg png xml zlib
My platform is ubuntu x86.
POC https://github.com/whiteHat001/FUZZ_POC/blob/master/heap-buffer-overflow_ReadSFWImage