Skip to content

Heap buffer overflow in WritePCXImage #733

Closed
@0ahu

Description

@0ahu

Version: ImageMagick 7.0.6-8 Q16 x86_64

A heap buffer overflow vulnerability was found in function WritePCXImage in coders/pcx.c,which allow attackers to cause a denial of service or remote code execution via a crafted file.

./magick convert 4-im2pcx out.pcx

AddressSanitizer: heap-buffer-overflow on address 0x631000010f40 at pc 0x0000007dbd4c bp 0x7fffa9b7d8d0 sp 0x7fffa9b7d8c8
WRITE of size 1 at 0x631000010f40 thread T0
    #0 0x7dbd4b in WritePCXImage /home/share/imagemagic/source-imagemagick/coders/pcx.c:1094:19
    #1 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #2 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #3 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #4 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #5 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #6 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #7 0x7fa32695882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x420f98 in _start (/home/share/pocs/magick+0x420f98)

0x631000010f40 is located 0 bytes to the right of 65344-byte region [0x631000001000,0x631000010f40)
allocated by thread T0 here:
    #0 0x4e2c60 in __interceptor_posix_memalign /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:156
    #1 0x55c01a in AcquireAlignedMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:262:7
    #2 0x55c01a in AcquireVirtualMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:635
    #3 0x7d9411 in WritePCXImage /home/share/imagemagic/source-imagemagick/coders/pcx.c:1008:16
    #4 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #5 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #6 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #7 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #8 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #9 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #10 0x7fa32695882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/share/imagemagic/source-imagemagick/coders/pcx.c:1094:19 in WritePCXImage``

testcase: https://github.com/lifuhao123/feijidepoc/blob/master/4-im2pcx
Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions