Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in GetVirtualPixels MagickCore/cache.c:3185 #746

Closed
jerryl3e opened this issue Sep 11, 2017 · 2 comments
Closed
Labels

Comments

@jerryl3e
Copy link

poc1
version:
ImageMagick 7.0.7-1 Q16 x86_64
gcc 7.1

crash link :
https://raw.githubusercontent.com/jerryl3e/poc/master/im_poc_1505120100

trigger command :
./magick convert im_poc_1505120100 output.mpc
./magick convert output.mpc output.uil

detail :


root@work:/home/work/fuzzing/ImageMagick/utilities# ./magick  im_poc_1505120100  out.mpc
root@work:/home/work/fuzzing/ImageMagick/utilities# ./magick out.mpc out.aai
ASAN:SIGSEGV
=================================================================
==49786==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9150edb72b bp 0x7ffd830679e0 sp 0x7ffd83067980 T0)
    #0 0x7f9150edb72a in GetVirtualPixels MagickCore/cache.c:3185
    #1 0x7f9151203e88 in WriteAAIImage coders/aai.c:386
    #2 0x7f9150f44782 in WriteImage MagickCore/constitute.c:1114
    #3 0x7f9150f453fe in WriteImages MagickCore/constitute.c:1333
    #4 0x7f9150a4097a in CLINoImageOperator MagickWand/operation.c:4795
    #5 0x7f9150a431d8 in CLIOption MagickWand/operation.c:5255
    #6 0x7f91508e0d5f in ProcessCommandOptions MagickWand/magick-cli.c:529
    #7 0x7f91508e1f27 in MagickImageCommand MagickWand/magick-cli.c:794
    #8 0x7f915091a246 in MagickCommandGenesis MagickWand/mogrify.c:183
    #9 0x4017e1 in MagickMain utilities/magick.c:149
    #10 0x4019c2 in main utilities/magick.c:180
    #11 0x7f915014682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x4012f8 in _start (/home/work/fuzzing/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV MagickCore/cache.c:3185 GetVirtualPixels
==49786==ABORTING

Credit:Baidu Security Lab

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Sep 13, 2017

This was assigned CVE-2017-14400.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants