Skip to content

heap-buffer-overflow in Magick_png_read_raw_profile #872

Closed
@henices

Description

@henices

$ convert -version
Version: ImageMagick 7.0.7-12 Q16 x86_64 2017-11-21 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib fontconfig freetype jng jpeg pangocairo png x xml zlib

commit: 6645a12 compile at ubuntu 14.04 x86_64

Trigger Command: convert Magick_png_read_raw_profile-heap-overflow /dev/null

==25042== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060001dd58 at pc 0x7f27e3c6f8a7 bp 0x7fff78c5f4c0 sp 0x7fff78c5f4b8
READ of size 1 at 0x60060001dd58 thread T0
    #0 0x7f27e3c6f8a6 in Magick_png_read_raw_profile /home/henices/ImageMagick/coders/png.c:1804
    #1 0x7f27e3c7982f in ReadOnePNGImage /home/henices/ImageMagick/coders/png.c:3855
    #2 0x7f27e3c7ac76 in ReadPNGImage /home/henices/ImageMagick/coders/png.c:4236
    #3 0x7f27e361f721 in ReadImage /home/henices/ImageMagick/MagickCore/constitute.c:497
    #4 0x7f27e3621d87 in ReadImages /home/henices/ImageMagick/MagickCore/constitute.c:866
    #5 0x7f27e2e3b79b in ConvertImageCommand /home/henices/ImageMagick/MagickWand/convert.c:641
    #6 0x7f27e2fdea10 in MagickCommandGenesis /home/henices/ImageMagick/MagickWand/mogrify.c:183
    #7 0x40164c in MagickMain /home/henices/ImageMagick/utilities/magick.c:149
    #8 0x4017e1 in main /home/henices/ImageMagick/utilities/magick.c:180
    #9 0x7f27e2761f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #10 0x401198 in _start (/usr/local/bin/magick+0x401198)
0x60060001dd58 is located 0 bytes to the right of 24-byte region [0x60060001dd40,0x60060001dd58)
allocated by thread T0 here:
    #0 0x7f27e42ba41a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0x7f27e3800279 in AcquireMagickMemory /home/henices/ImageMagick/MagickCore/memory.c:464
    #2 0x7f27e3c6f389 in Magick_png_malloc /home/henices/ImageMagick/coders/png.c:1756
    #3 0x7f27e1ec5fff in png_malloc (/lib/x86_64-linux-gnu/libpng12.so.0+0x1afff)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/ImageMagick/coders/png.c:1804 Magick_png_read_raw_profile
Shadow bytes around the buggy address:
  0x0c013fffbb50: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c013fffbb60: 00 00 00 02 fa fa 00 00 03 fa fa fa 00 00 00 00
  0x0c013fffbb70: fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c013fffbb80: 03 fa fa fa 00 00 00 00 fa fa 00 00 06 fa fa fa
  0x0c013fffbb90: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
=>0x0c013fffbba0: fa fa 00 00 00 01 fa fa 00 00 00[fa]fa fa fd fd
  0x0c013fffbbb0: fd fd fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
  0x0c013fffbbc0: 00 00 06 fa fa fa 00 00 00 00 fa fa 00 00 06 fa
  0x0c013fffbbd0: fa fa 00 00 00 00 fa fa 00 00 05 fa fa fa 00 00
  0x0c013fffbbe0: 00 00 fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
  0x0c013fffbbf0: 00 00 00 07 fa fa 00 00 00 03 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==25042== ABORTING

testcase:
https://github.com/henices/pocs/raw/master/Magick_png_read_raw_profile-heap-overflow

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions