New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in SetImageProgress #907

Closed
henices opened this Issue Dec 21, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@henices
Copy link
Contributor

henices commented Dec 21, 2017

/usr/local/bin/magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib

Trigger Command: magick convert stack-buffer-overflow-0 /dev/null

=================================================================
==32293==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffde8684f48 at pc 0x7f9afe1f585e bp 0x7ffde8681020 sp 0x7ffde8681010
READ of size 8 at 0x7ffde8684f48 thread T0
    #0 0x7f9afe1f585d in SetImageProgress MagickCore/monitor-private.h:33
    #1 0x7f9afe1f80f3 in WebPEncodeProgress coders/webp.c:558
    #2 0x7f9afb157973  (/lib64/libwebp.so.7+0x4f973)
    #3 0x7f9afb13b487  (/lib64/libwebp.so.7+0x33487)
    #4 0x7f9afb159b66  (/lib64/libwebp.so.7+0x51b66)
    #5 0x7f9afb13bd7b  (/lib64/libwebp.so.7+0x33d7b)
    #6 0x7f9afb157e36 in WebPEncode (/lib64/libwebp.so.7+0x4fe36)
    #7 0x7f9afe1f9cbe in WriteWEBPImage coders/webp.c:769
    #8 0x7f9afdb334cc in WriteImage MagickCore/constitute.c:1114
    #9 0x7f9afdb34209 in WriteImages MagickCore/constitute.c:1333
    #10 0x7f9afd35bd6f in ConvertImageCommand MagickWand/convert.c:3280
    #11 0x7f9afd46025c in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401b16 in MagickMain utilities/magick.c:149
    #13 0x401d80 in main utilities/magick.c:180
    #14 0x7f9af704a009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    #15 0x4015d9 in _start (/usr/local/bin/magick+0x4015d9)

Address 0x7ffde8684f48 is located in stack of thread T0 at offset 40 in frame
    #0 0x7f9afdb3298e in WriteImage MagickCore/constitute.c:975

  This frame has 4 object(s):
    [32, 40) 'lsb_first' <== Memory access at offset 40 overflows this variable
    [96, 4192) 'filename'
    [4224, 8320) 'image_filename'
    [8352, 12448) 'extension'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow MagickCore/monitor-private.h:33 in SetImageProgress
Shadow bytes around the buggy address:
  0x10003d0c8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003d0c89a0: 00 00 00 04 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10003d0c89b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003d0c89c0: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00
  0x10003d0c89d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003d0c89e0: 00 00 00 00 f1 f1 f1 f1 00[f2]f2 f2 f2 f2 f2 f2
  0x10003d0c89f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003d0c8a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003d0c8a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003d0c8a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003d0c8a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32293==ABORTING

testcase: https://github.com/henices/pocs/raw/master/stack-buffer-overflow-0

Credit: zz of NSFocus Security Team <security (at) nsfocus (dot) com>

urban-warrior pushed a commit that referenced this issue Dec 21, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Dec 21, 2017

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Dec 21, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Dec 21, 2017

@dlemstra dlemstra closed this Dec 21, 2017

@nohmask

This comment has been minimized.

Copy link

nohmask commented Dec 25, 2017

This was assigned CVE-2017-17880.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jan 8, 2018

he
Updated ImageMagick to 7.0.7.21.
2018-01-06  7.0.7-21 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.0-21, GIT revision 22168:a91afc45b:20180106.

2018-01-06  7.0.7-21 Dirk Lemstra <dirk@lem.....org>
  * Fix some enum values in the OpenCL code.

2018-01-06  7.0.7-20 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-20, GIT revision 22161:33a04d3e5:20180105.

2018-01-05  7.0.7-20 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).

2018-01-01  7.0.7-19 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-19, GIT revision 22133:977fe08bf:20180101.

2017-12-29  7.0.7-19 Cristy  <quetzlzacatenango@image...>
  * Check for webpmux library version 0.4.4 (reference
    ImageMagick/ImageMagick#896).

2017-12-26  7.0.7-18 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-18, GIT revision 22096:ad4bdeb40:20171228.

2017-12-28  7.0.7-18 Cristy  <quetzlzacatenango@image...>
  * Fix error reading from pipe under Windows (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33288).

2017-12-26  7.0.7-17 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-17, GIT revision 22093:9caea323b:20171227.

2017-12-26  7.0.7-17 Cristy  <quetzlzacatenango@image...>
  * Fix heap use after free error (reference
    ImageMagick/ImageMagick#918).

2017-12-24  7.0.7-16 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-16, GIT revision 22038:e55dc7626:20171225.

2017-12-18  7.0.7-16 Cristy  <quetzlzacatenango@image...>
  * Fix error reading multi-layer XCF image file.
  * Fix possible stack overflow in WEBP reader (reference
    ImageMagick/ImageMagick#907)
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).

2017-12-16  7.0.7-15 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-15, GIT revision 21924:30cb31746:20171216.

2017-12-08  7.0.7-15 Cristy  <quetzlzacatenango@image...>
  * Overall standard deviation is the average of each pixel channel (reference
    https://www.imagemagick.org/discourse-server/viewforum.php?f=3).
  * Update to the latest ImageMagick documentation.

2017-12-05  7.0.7-14 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-14, GIT revision 21855:dc73b2aba:20171205.

2017-11-30  7.0.7-14 Cristy  <quetzlzacatenango@image...>
  * Support Stereo composite operator.
  * Fix build failure with --without-modules (reference
    ImageMagick/ImageMagick#890).

2017-11-30  7.0.7-13 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-13, GIT revision 21823:72cb0fd0c:20171130.

2017-11-30  7.0.7-13 Cristy  <quetzlzacatenango@image...>
  * Fix build failure with libraw 0.14.8 (reference
    ImageMagick/ImageMagick#888).

2017-11-29  7.0.7-12 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-12, GIT revision 21814:5ef2c5a67:20171129.

2017-11-12  7.0.7-12 Cristy  <quetzlzacatenango@image...>
  * The -tint option no longer munges the alpha channel (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=33070).
  * Don't delete in-memory blob when reading an image (reference
    ImageMagick/ImageMagick#886).
  * Support HDRI color profile management.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment