New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in function SampleImage() in resize.c #717

Closed
lifuhao123 opened this Issue Sep 1, 2017 · 5 comments

Comments

Projects
None yet
6 participants
@lifuhao123

lifuhao123 commented Sep 1, 2017

Version: ImageMagick 7.0.6-8 Q16 x86_64

A heap buffer overflow vulnerability was found in function SampleImage() in resize.c ,which allow attackers to cause a denial of service or remote code execution via a crafted file.

A bug was triggered when convert a file to pdf using ImageMagick , I use the command line
" ./magick convert 1-im2pdf out.pdf " and the asan shows:

==75137==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6b7aafeb00 at pc 0x000000d1d99c bp 0x7ffc336f6110 sp 0x7ffc336f6108
READ of size 4 at 0x7f6b7aafeb00 thread T0
    #0 0xd1d99b in SampleImage /home/share/imagemagic/source-imagemagick/MagickCore/resize.c:3154:46
    #1 0xd24d30 in ThumbnailImage /home/share/imagemagic/source-imagemagick/MagickCore/resize.c:3703:22
    #2 0x7edef1 in WritePDFImage /home/share/imagemagic/source-imagemagick/coders/pdf.c:2269:16
    #3 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #4 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #5 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #6 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #7 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #8 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #9 0x7f6b7e02782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x420f98 in _start (/home/share/imagemagic/test/magick+0x420f98)

0x7f6b7aafeb00 is located 0 bytes to the right of 12000000-byte region [0x7f6b79f8d000,0x7f6b7aafeb00)
allocated by thread T0 here:
    #0 0x4e2c60 in __interceptor_posix_memalign /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:156
    #1 0x55b55c in AcquireAlignedMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:262:7
    #2 0x9cc740 in OpenPixelCache /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:3561:46
    #3 0x9d2a03 in GetImagePixelCache /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:1668:18
    #4 0x9d78a4 in SyncImagePixelCache /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:5266:28
    #5 0x922705 in ReadPNGImage /home/share/imagemagic/source-imagemagick/coders/png.c:4254:9
    #6 0xa2518f in ReadImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:497:13
    #7 0xa2816e in ReadImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:866:9
    #8 0xea8112 in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:641:18
    #9 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #10 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #11 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #12 0x7f6b7e02782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/share/imagemagic/source-imagemagick/MagickCore/resize.c:3154:46 in SampleImage
Shadow bytes around the buggy address:
  0x0fedef557d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fedef557d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fedef557d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fedef557d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fedef557d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fedef557d60:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fedef557d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fedef557d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fedef557d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fedef557da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fedef557db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==75137==ABORTING

The poc was at: https://github.com/lifuhao123/feijidepoc/blob/master/1-im2pdf

Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks

urban-warrior pushed a commit that referenced this issue Sep 1, 2017

@urban-warrior

This comment has been minimized.

Show comment
Hide comment
@urban-warrior

urban-warrior Sep 1, 2017

Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

Contributor

urban-warrior commented Sep 1, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Sep 1, 2017

@dlemstra dlemstra closed this Sep 1, 2017

@lifuhao123 lifuhao123 changed the title from A heap-buffer-overflow in function SampleImage() in resize.c to Heap-buffer-overflow in function SampleImage() in resize.c Sep 8, 2017

@nohmask

This comment has been minimized.

Show comment
Hide comment
@nohmask

nohmask Sep 12, 2017

This was assigned CVE-2017-14248.

nohmask commented Sep 12, 2017

This was assigned CVE-2017-14248.

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Sep 18, 2017

@urban-warrior, @dlemstra, can you confirm if this issue does not affect ImageMagick-6?

carnil commented Sep 18, 2017

@urban-warrior, @dlemstra, can you confirm if this issue does not affect ImageMagick-6?

@dlemstra

This comment has been minimized.

Show comment
Hide comment
@dlemstra

dlemstra Sep 18, 2017

Member

This is an IM7 only issue.

Member

dlemstra commented Sep 18, 2017

This is an IM7 only issue.

@mikayla-grace

This comment has been minimized.

Show comment
Hide comment
@mikayla-grace

mikayla-grace Sep 18, 2017

Confirmed. This bug was exclusive to IMv7, not IMv6.

mikayla-grace commented Sep 18, 2017

Confirmed. This bug was exclusive to IMv7, not IMv6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment