Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in WritePCXImage #733

Closed
0ahu opened this issue Sep 6, 2017 · 2 comments
Closed

Heap buffer overflow in WritePCXImage #733

0ahu opened this issue Sep 6, 2017 · 2 comments
Labels

Comments

@0ahu
Copy link

0ahu commented Sep 6, 2017

Version: ImageMagick 7.0.6-8 Q16 x86_64

A heap buffer overflow vulnerability was found in function WritePCXImage in coders/pcx.c,which allow attackers to cause a denial of service or remote code execution via a crafted file.

./magick convert 4-im2pcx out.pcx

AddressSanitizer: heap-buffer-overflow on address 0x631000010f40 at pc 0x0000007dbd4c bp 0x7fffa9b7d8d0 sp 0x7fffa9b7d8c8
WRITE of size 1 at 0x631000010f40 thread T0
    #0 0x7dbd4b in WritePCXImage /home/share/imagemagic/source-imagemagick/coders/pcx.c:1094:19
    #1 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #2 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #3 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #4 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #5 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #6 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #7 0x7fa32695882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x420f98 in _start (/home/share/pocs/magick+0x420f98)

0x631000010f40 is located 0 bytes to the right of 65344-byte region [0x631000001000,0x631000010f40)
allocated by thread T0 here:
    #0 0x4e2c60 in __interceptor_posix_memalign /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:156
    #1 0x55c01a in AcquireAlignedMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:262:7
    #2 0x55c01a in AcquireVirtualMemory /home/share/imagemagic/source-imagemagick/MagickCore/memory.c:635
    #3 0x7d9411 in WritePCXImage /home/share/imagemagic/source-imagemagick/coders/pcx.c:1008:16
    #4 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #5 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #6 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #7 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #8 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #9 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #10 0x7fa32695882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/share/imagemagic/source-imagemagick/coders/pcx.c:1094:19 in WritePCXImage``

testcase: https://github.com/lifuhao123/feijidepoc/blob/master/4-im2pcx
Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@fgeek
Copy link

fgeek commented Sep 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants