Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in WritePCXImage #733

Closed
lifuhao123 opened this issue Sep 6, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@lifuhao123
Copy link

commented Sep 6, 2017

Version: ImageMagick 7.0.6-8 Q16 x86_64

A heap buffer overflow vulnerability was found in function WritePCXImage in coders/pcx.c,which allow attackers to cause a denial of service or remote code execution via a crafted file.

./magick convert 4-im2pcx out.pcx

AddressSanitizer: heap-buffer-overflow on address 0x631000010f40 at pc 0x0000007dbd4c bp 0x7fffa9b7d8d0 sp 0x7fffa9b7d8c8
WRITE of size 1 at 0x631000010f40 thread T0
    #0 0x7dbd4b in WritePCXImage /home/share/imagemagic/source-imagemagick/coders/pcx.c:1094:19
    #1 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #2 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #3 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #4 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #5 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #6 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #7 0x7fa32695882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x420f98 in _start (/home/share/pocs/magick+0x420f98)

0x631000010f40 is located 0 bytes to the right of 65344-byte region [0x631000001000,0x631000010f40)
allocated by thread T0 here:
    #0 0x4e2c60 in __interceptor_posix_memalign /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:156
    #1 0x55c01a in AcquireAlignedMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:262:7
    #2 0x55c01a in AcquireVirtualMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:635
    #3 0x7d9411 in WritePCXImage /home/share/imagemagic/source-imagemagick/coders/pcx.c:1008:16
    #4 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #5 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #6 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #7 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #8 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #9 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #10 0x7fa32695882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/share/imagemagic/source-imagemagick/coders/pcx.c:1094:19 in WritePCXImage``

testcase: https://github.com/lifuhao123/feijidepoc/blob/master/4-im2pcx
Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks

@mikayla-grace

This comment has been minimized.

Copy link

commented Sep 6, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit that referenced this issue Sep 6, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Sep 6, 2017

Cristy

@dlemstra dlemstra added the bug label Sep 6, 2017

@dlemstra dlemstra closed this Sep 6, 2017

@fgeek

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.