New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in ReadOneMNGImage #906

Closed
henices opened this Issue Dec 21, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@henices
Copy link
Contributor

henices commented Dec 21, 2017

/usr/local/bin/magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib

Trigger Command: magick convert heap-buffer-overflow-ReadOneMNGImage /dev/null

=================================================================
==2281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000789a at pc 0x7ff33d424550 bp 0x7ffd1a613bf0 sp 0x7ffd1a613be0
READ of size 1 at 0x60200000789a thread T0
    #0 0x7ff33d42454f in ReadOneMNGImage coders/png.c:5885
    #1 0x7ff33d43193b in ReadMNGImage coders/png.c:7694
    #2 0x7ff33cdad58a in ReadImage MagickCore/constitute.c:497
    #3 0x7ff33cdb0453 in ReadImages MagickCore/constitute.c:866
    #4 0x7ff33c5639bf in ConvertImageCommand MagickWand/convert.c:641
    #5 0x7ff33c6de25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #6 0x401b16 in MagickMain utilities/magick.c:149
    #7 0x401d80 in main utilities/magick.c:180
    #8 0x7ff3362c8009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    #9 0x4015d9 in _start (/usr/local/bin/magick+0x4015d9)

0x60200000789a is located 0 bytes to the right of 10-byte region [0x602000007890,0x60200000789a)
allocated by thread T0 here:
    #0 0x7ff33dba8850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7ff33cf809dc in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7ff33cf80a30 in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7ff33d4211c0 in ReadOneMNGImage coders/png.c:5421
    #4 0x7ff33d43193b in ReadMNGImage coders/png.c:7694
    #5 0x7ff33cdad58a in ReadImage MagickCore/constitute.c:497
    #6 0x7ff33cdb0453 in ReadImages MagickCore/constitute.c:866
    #7 0x7ff33c5639bf in ConvertImageCommand MagickWand/convert.c:641
    #8 0x7ff33c6de25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #9 0x401b16 in MagickMain utilities/magick.c:149
    #10 0x401d80 in main utilities/magick.c:180
    #11 0x7ff3362c8009 in __libc_start_main (/lib64/libc.so.6+0x21009)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/png.c:5885 in ReadOneMNGImage
Shadow bytes around the buggy address:
  0x0c047fff8ec0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8ed0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8ee0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8ef0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 01
  0x0c047fff8f00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8f10: fa fa 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2281==ABORTING

tesecase: https://github.com/henices/pocs/raw/master/heap-buffer-overflow-ReadOneMNGImage

Credit: zz of NSFocus Security Team <security (at) nsfocus (dot) com>

urban-warrior pushed a commit that referenced this issue Dec 21, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Dec 21, 2017

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Dec 21, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Dec 21, 2017

@dlemstra dlemstra closed this Dec 21, 2017

@nohmask

This comment has been minimized.

Copy link

nohmask commented Dec 25, 2017

This was assigned CVE-2017-17879.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment