Closed
Description
/usr/local/bin/magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib
Trigger Command: magick convert heap-buffer-overflow-ReadOneMNGImage /dev/null
=================================================================
==2281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000789a at pc 0x7ff33d424550 bp 0x7ffd1a613bf0 sp 0x7ffd1a613be0
READ of size 1 at 0x60200000789a thread T0
#0 0x7ff33d42454f in ReadOneMNGImage coders/png.c:5885
#1 0x7ff33d43193b in ReadMNGImage coders/png.c:7694
#2 0x7ff33cdad58a in ReadImage MagickCore/constitute.c:497
#3 0x7ff33cdb0453 in ReadImages MagickCore/constitute.c:866
#4 0x7ff33c5639bf in ConvertImageCommand MagickWand/convert.c:641
#5 0x7ff33c6de25c in MagickCommandGenesis MagickWand/mogrify.c:183
#6 0x401b16 in MagickMain utilities/magick.c:149
#7 0x401d80 in main utilities/magick.c:180
#8 0x7ff3362c8009 in __libc_start_main (/lib64/libc.so.6+0x21009)
#9 0x4015d9 in _start (/usr/local/bin/magick+0x4015d9)
0x60200000789a is located 0 bytes to the right of 10-byte region [0x602000007890,0x60200000789a)
allocated by thread T0 here:
#0 0x7ff33dba8850 in malloc (/lib64/libasan.so.4+0xde850)
#1 0x7ff33cf809dc in AcquireMagickMemory MagickCore/memory.c:464
#2 0x7ff33cf80a30 in AcquireQuantumMemory MagickCore/memory.c:537
#3 0x7ff33d4211c0 in ReadOneMNGImage coders/png.c:5421
#4 0x7ff33d43193b in ReadMNGImage coders/png.c:7694
#5 0x7ff33cdad58a in ReadImage MagickCore/constitute.c:497
#6 0x7ff33cdb0453 in ReadImages MagickCore/constitute.c:866
#7 0x7ff33c5639bf in ConvertImageCommand MagickWand/convert.c:641
#8 0x7ff33c6de25c in MagickCommandGenesis MagickWand/mogrify.c:183
#9 0x401b16 in MagickMain utilities/magick.c:149
#10 0x401d80 in main utilities/magick.c:180
#11 0x7ff3362c8009 in __libc_start_main (/lib64/libc.so.6+0x21009)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/png.c:5885 in ReadOneMNGImage
Shadow bytes around the buggy address:
0x0c047fff8ec0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8ed0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8ee0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8ef0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 01
0x0c047fff8f00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8f10: fa fa 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2281==ABORTING
tesecase: https://github.com/henices/pocs/raw/master/heap-buffer-overflow-ReadOneMNGImage
Credit: zz of NSFocus Security Team <security (at) nsfocus (dot) com>