Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer over read in ReadTIFFImage(coders/tiff.c:2011) #765

Closed
Twi1ight opened this issue Sep 19, 2017 · 2 comments
Closed

Heap buffer over read in ReadTIFFImage(coders/tiff.c:2011) #765

Twi1ight opened this issue Sep 19, 2017 · 2 comments
Labels

Comments

@Twi1ight
Copy link

version:

$ ./magick --version
Version: ImageMagick 7.0.7-4 Q16 x86_64 2017-09-19 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP 
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype gvc jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff webp wmf x xml zlib

gcc (Ubuntu 4.8.5-2ubuntu1~14.04.1) 4.8.5

crash case:
crash-ImageMagic-ReadTIFFImage-heap-overflow.zip

trigger command :
./magick convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null

detail:

Heap buffer over read in ReadTIFFImage(coders/tiff.c:2011)
==185299== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60420001f380 at pc 0x7d1605 bp 0x7fffffff2600 sp 0x7fffffff25f8
READ of size 4 at 0x60420001f380 thread T0
    #0 0x7d1604 in ReadTIFFImage /ImageMagick/coders/tiff.c:2011
    #1 0x893773 in ReadImage /ImageMagick/MagickCore/constitute.c:497
    #2 0x895d59 in ReadImages /ImageMagick/MagickCore/constitute.c:866
    #3 0xc2163d in ConvertImageCommand /ImageMagick/MagickWand/convert.c:641
    #4 0xdb7660 in MagickCommandGenesis /ImageMagick/MagickWand/mogrify.c:183
    #5 0x41065c in MagickMain /ImageMagick/utilities/magick.c:149
    #6 0x4107f1 in main /ImageMagick/utilities/magick.c:180
    #7 0x7ffff0244f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #8 0x4101a8 in _start (/ImageMagick/utilities/magick+0x4101a8)
0x60420001f380 is located 0 bytes to the right of 1024-byte region [0x60420001ef80,0x60420001f380)
allocated by thread T0 here:
    #0 0x7ffff4e6041a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0x441d57 in AcquireMagickMemory /ImageMagick/MagickCore/memory.c:464
    #2 0x7cffb8 in ReadTIFFImage /ImageMagick/coders/tiff.c:1755
    #3 0x893773 in ReadImage /ImageMagick/MagickCore/constitute.c:497
    #4 0x895d59 in ReadImages /ImageMagick/MagickCore/constitute.c:866
    #5 0xc2163d in ConvertImageCommand /ImageMagick/MagickWand/convert.c:641
    #6 0xdb7660 in MagickCommandGenesis /ImageMagick/MagickWand/mogrify.c:183
    #7 0x41065c in MagickMain /ImageMagick/utilities/magick.c:149
    #8 0x4107f1 in main /ImageMagick/utilities/magick.c:180
    #9 0x7ffff0244f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /ImageMagick/coders/tiff.c:2011 ReadTIFFImage
Shadow bytes around the buggy address:
  0x0c08bfffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c08bfffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c08bfffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c08bfffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c08bfffbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c08bfffbe70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c08bfffbe80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c08bfffbe90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c08bfffbea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c08bfffbeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c08bfffbec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==185299== ABORTING
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Sep 21, 2017

This was assigned CVE-2017-14607.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants