New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in Magick_png_read_raw_profile #872

Closed
henices opened this Issue Nov 21, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@henices
Copy link
Contributor

henices commented Nov 21, 2017

$ convert -version
Version: ImageMagick 7.0.7-12 Q16 x86_64 2017-11-21 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib fontconfig freetype jng jpeg pangocairo png x xml zlib

commit: 6645a12 compile at ubuntu 14.04 x86_64

Trigger Command: convert Magick_png_read_raw_profile-heap-overflow /dev/null

==25042== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060001dd58 at pc 0x7f27e3c6f8a7 bp 0x7fff78c5f4c0 sp 0x7fff78c5f4b8
READ of size 1 at 0x60060001dd58 thread T0
    #0 0x7f27e3c6f8a6 in Magick_png_read_raw_profile /home/henices/ImageMagick/coders/png.c:1804
    #1 0x7f27e3c7982f in ReadOnePNGImage /home/henices/ImageMagick/coders/png.c:3855
    #2 0x7f27e3c7ac76 in ReadPNGImage /home/henices/ImageMagick/coders/png.c:4236
    #3 0x7f27e361f721 in ReadImage /home/henices/ImageMagick/MagickCore/constitute.c:497
    #4 0x7f27e3621d87 in ReadImages /home/henices/ImageMagick/MagickCore/constitute.c:866
    #5 0x7f27e2e3b79b in ConvertImageCommand /home/henices/ImageMagick/MagickWand/convert.c:641
    #6 0x7f27e2fdea10 in MagickCommandGenesis /home/henices/ImageMagick/MagickWand/mogrify.c:183
    #7 0x40164c in MagickMain /home/henices/ImageMagick/utilities/magick.c:149
    #8 0x4017e1 in main /home/henices/ImageMagick/utilities/magick.c:180
    #9 0x7f27e2761f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #10 0x401198 in _start (/usr/local/bin/magick+0x401198)
0x60060001dd58 is located 0 bytes to the right of 24-byte region [0x60060001dd40,0x60060001dd58)
allocated by thread T0 here:
    #0 0x7f27e42ba41a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0x7f27e3800279 in AcquireMagickMemory /home/henices/ImageMagick/MagickCore/memory.c:464
    #2 0x7f27e3c6f389 in Magick_png_malloc /home/henices/ImageMagick/coders/png.c:1756
    #3 0x7f27e1ec5fff in png_malloc (/lib/x86_64-linux-gnu/libpng12.so.0+0x1afff)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/ImageMagick/coders/png.c:1804 Magick_png_read_raw_profile
Shadow bytes around the buggy address:
  0x0c013fffbb50: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c013fffbb60: 00 00 00 02 fa fa 00 00 03 fa fa fa 00 00 00 00
  0x0c013fffbb70: fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c013fffbb80: 03 fa fa fa 00 00 00 00 fa fa 00 00 06 fa fa fa
  0x0c013fffbb90: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
=>0x0c013fffbba0: fa fa 00 00 00 01 fa fa 00 00 00[fa]fa fa fd fd
  0x0c013fffbbb0: fd fd fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
  0x0c013fffbbc0: 00 00 06 fa fa fa 00 00 00 00 fa fa 00 00 06 fa
  0x0c013fffbbd0: fa fa 00 00 00 00 fa fa 00 00 05 fa fa fa 00 00
  0x0c013fffbbe0: 00 00 fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
  0x0c013fffbbf0: 00 00 00 07 fa fa 00 00 00 03 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==25042== ABORTING

testcase:
https://github.com/henices/pocs/raw/master/Magick_png_read_raw_profile-heap-overflow

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Nov 21, 2017

Unfortunately we cannot reproduce the problem. With the latest ImageMagick release from the master branch, we get:

$ convert Magick_png_read_raw_profile-heap-overflow /dev/null
convert: gAMA: gamma value out of range `Magick_png_read_raw_profile-heap-overflow' @ warning/png.c/MagickPNGWarningHandler/1744.
convert: zTXt: invalid distance too far back `Magick_png_read_raw_profile-heap-overflow' @ warning/png.c/MagickPNGWarningHandler/1744.
@henices

This comment has been minimized.

Copy link
Contributor

henices commented Nov 21, 2017

I got the same output on fedora 26, but on ubuntu it makes crash. on ubuntu 14.04 convert command use libpng12, on fedora convert command use libpng16, what's your linux distribution?

@henices henices closed this Nov 21, 2017

@henices

This comment has been minimized.

Copy link
Contributor

henices commented Nov 22, 2017

I find the root cause, when i use the libpng16 in ubuntu this crash is gone away.
use libpng12 in ubuntu, we will get a asan heap-buffer-overflow output.

@henices henices reopened this Nov 22, 2017

urban-warrior pushed a commit that referenced this issue Nov 22, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Nov 22, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Nov 22, 2017

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Nov 22, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@henices henices closed this Nov 23, 2017

@dlemstra dlemstra added the bug label Nov 23, 2017

@nohmask

This comment has been minimized.

Copy link

nohmask commented Dec 11, 2017

This was assigned CVE-2017-17504.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment