Closed
Description
version:
$ ./magick --version
Version: ImageMagick 7.0.7-4 Q16 x86_64 2017-09-19 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype gvc jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff webp wmf x xml zlib
gcc (Ubuntu 4.8.5-2ubuntu1~14.04.1) 4.8.5
crash case:
crash-ImageMagic-ReadTIFFImage-heap-overflow.zip
trigger command :
./magick convert crash-ImageMagic-ReadTIFFImage-heap-overflow /dev/null
detail:
Heap buffer over read in ReadTIFFImage(coders/tiff.c:2011)
==185299== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60420001f380 at pc 0x7d1605 bp 0x7fffffff2600 sp 0x7fffffff25f8
READ of size 4 at 0x60420001f380 thread T0
#0 0x7d1604 in ReadTIFFImage /ImageMagick/coders/tiff.c:2011
#1 0x893773 in ReadImage /ImageMagick/MagickCore/constitute.c:497
#2 0x895d59 in ReadImages /ImageMagick/MagickCore/constitute.c:866
#3 0xc2163d in ConvertImageCommand /ImageMagick/MagickWand/convert.c:641
#4 0xdb7660 in MagickCommandGenesis /ImageMagick/MagickWand/mogrify.c:183
#5 0x41065c in MagickMain /ImageMagick/utilities/magick.c:149
#6 0x4107f1 in main /ImageMagick/utilities/magick.c:180
#7 0x7ffff0244f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#8 0x4101a8 in _start (/ImageMagick/utilities/magick+0x4101a8)
0x60420001f380 is located 0 bytes to the right of 1024-byte region [0x60420001ef80,0x60420001f380)
allocated by thread T0 here:
#0 0x7ffff4e6041a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
#1 0x441d57 in AcquireMagickMemory /ImageMagick/MagickCore/memory.c:464
#2 0x7cffb8 in ReadTIFFImage /ImageMagick/coders/tiff.c:1755
#3 0x893773 in ReadImage /ImageMagick/MagickCore/constitute.c:497
#4 0x895d59 in ReadImages /ImageMagick/MagickCore/constitute.c:866
#5 0xc2163d in ConvertImageCommand /ImageMagick/MagickWand/convert.c:641
#6 0xdb7660 in MagickCommandGenesis /ImageMagick/MagickWand/mogrify.c:183
#7 0x41065c in MagickMain /ImageMagick/utilities/magick.c:149
#8 0x4107f1 in main /ImageMagick/utilities/magick.c:180
#9 0x7ffff0244f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /ImageMagick/coders/tiff.c:2011 ReadTIFFImage
Shadow bytes around the buggy address:
0x0c08bfffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c08bfffbe70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c08bfffbe80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c08bfffbe90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c08bfffbea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c08bfffbeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c08bfffbec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==185299== ABORTING