Closed
Description
$ convert -version
Version: ImageMagick 7.0.7-12 Q16 x86_64 2017-11-21 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib fontconfig freetype jng jpeg pangocairo png x xml zlib
commit: 6645a12 compile at ubuntu 14.04 x86_64
Trigger Command: convert Magick_png_read_raw_profile-heap-overflow /dev/null
==25042== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060001dd58 at pc 0x7f27e3c6f8a7 bp 0x7fff78c5f4c0 sp 0x7fff78c5f4b8
READ of size 1 at 0x60060001dd58 thread T0
#0 0x7f27e3c6f8a6 in Magick_png_read_raw_profile /home/henices/ImageMagick/coders/png.c:1804
#1 0x7f27e3c7982f in ReadOnePNGImage /home/henices/ImageMagick/coders/png.c:3855
#2 0x7f27e3c7ac76 in ReadPNGImage /home/henices/ImageMagick/coders/png.c:4236
#3 0x7f27e361f721 in ReadImage /home/henices/ImageMagick/MagickCore/constitute.c:497
#4 0x7f27e3621d87 in ReadImages /home/henices/ImageMagick/MagickCore/constitute.c:866
#5 0x7f27e2e3b79b in ConvertImageCommand /home/henices/ImageMagick/MagickWand/convert.c:641
#6 0x7f27e2fdea10 in MagickCommandGenesis /home/henices/ImageMagick/MagickWand/mogrify.c:183
#7 0x40164c in MagickMain /home/henices/ImageMagick/utilities/magick.c:149
#8 0x4017e1 in main /home/henices/ImageMagick/utilities/magick.c:180
#9 0x7f27e2761f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#10 0x401198 in _start (/usr/local/bin/magick+0x401198)
0x60060001dd58 is located 0 bytes to the right of 24-byte region [0x60060001dd40,0x60060001dd58)
allocated by thread T0 here:
#0 0x7f27e42ba41a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
#1 0x7f27e3800279 in AcquireMagickMemory /home/henices/ImageMagick/MagickCore/memory.c:464
#2 0x7f27e3c6f389 in Magick_png_malloc /home/henices/ImageMagick/coders/png.c:1756
#3 0x7f27e1ec5fff in png_malloc (/lib/x86_64-linux-gnu/libpng12.so.0+0x1afff)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/ImageMagick/coders/png.c:1804 Magick_png_read_raw_profile
Shadow bytes around the buggy address:
0x0c013fffbb50: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c013fffbb60: 00 00 00 02 fa fa 00 00 03 fa fa fa 00 00 00 00
0x0c013fffbb70: fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa 00 00
0x0c013fffbb80: 03 fa fa fa 00 00 00 00 fa fa 00 00 06 fa fa fa
0x0c013fffbb90: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
=>0x0c013fffbba0: fa fa 00 00 00 01 fa fa 00 00 00[fa]fa fa fd fd
0x0c013fffbbb0: fd fd fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x0c013fffbbc0: 00 00 06 fa fa fa 00 00 00 00 fa fa 00 00 06 fa
0x0c013fffbbd0: fa fa 00 00 00 00 fa fa 00 00 05 fa fa fa 00 00
0x0c013fffbbe0: 00 00 fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
0x0c013fffbbf0: 00 00 00 07 fa fa 00 00 00 03 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==25042== ABORTING
testcase:
https://github.com/henices/pocs/raw/master/Magick_png_read_raw_profile-heap-overflow
Credit: NSFocus Security Team <security (at) nsfocus (dot) com>