Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in sixel_decode #927

Closed
littleputa opened this issue Jan 4, 2018 · 4 comments
Closed

heap-buffer-overflow in sixel_decode #927

littleputa opened this issue Jan 4, 2018 · 4 comments
Labels

Comments

@littleputa
Copy link

ubuntu@ubuntu:~/fuzz_py$ magick -version
Version: ImageMagick 7.0.7-17 Q16 x86_64 2017-12-26 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): fontconfig freetype png x zlib

poc.zip

ubuntu@ubuntu:~/fuzz_py$ magick montage poc.sixel /dev/null

==108451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000007500 at pc 0x7fcb10a33585 bp 0x7ffde25a2fd0 sp 0x7ffde25a2fc8
READ of size 1 at 0x621000007500 thread T0
#0 0x7fcb10a33584 in sixel_decode /home/ubuntu/ImageMagick/coders/sixel.c:289:12
#1 0x7fcb10a3455e in ReadSIXELImage /home/ubuntu/ImageMagick/coders/sixel.c:1027:7
#2 0x7fcb103a9af1 in ReadImage /home/ubuntu/ImageMagick/MagickCore/constitute.c:497:13
#3 0x7fcb103ac2f4 in ReadImages /home/ubuntu/ImageMagick/MagickCore/constitute.c:866:9
#4 0x7fcb0fcbe3c7 in MontageImageCommand /home/ubuntu/ImageMagick/MagickWand/montage.c:410:20
#5 0x7fcb0fc452d2 in MagickCommandGenesis /home/ubuntu/ImageMagick/MagickWand/mogrify.c:183:14
#6 0x4e4ce7 in MagickMain /home/ubuntu/ImageMagick/utilities/magick.c:149:10
#7 0x4e4ce7 in main /home/ubuntu/ImageMagick/utilities/magick.c:180
#8 0x7fcb0d7c5f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#9 0x41a10b in _start (/usr/local/bin/magick+0x41a10b)

0x621000007500 is located 0 bytes to the right of 4096-byte region [0x621000006500,0x621000007500)
allocated by thread T0 here:
#0 0x4b9ad3 in malloc (/usr/local/bin/magick+0x4b9ad3)
#1 0x7fcb10a3429d in ReadSIXELImage /home/ubuntu/ImageMagick/coders/sixel.c:1002:25
#2 0x7fcb103a9af1 in ReadImage /home/ubuntu/ImageMagick/MagickCore/constitute.c:497:13
#3 0x7fcb103ac2f4 in ReadImages /home/ubuntu/ImageMagick/MagickCore/constitute.c:866:9
#4 0x7fcb0fcbe3c7 in MontageImageCommand /home/ubuntu/ImageMagick/MagickWand/montage.c:410:20
#5 0x7fcb0fc452d2 in MagickCommandGenesis /home/ubuntu/ImageMagick/MagickWand/mogrify.c:183:14
#6 0x4e4ce7 in MagickMain /home/ubuntu/ImageMagick/utilities/magick.c:149:10
#7 0x4e4ce7 in main /home/ubuntu/ImageMagick/utilities/magick.c:180
#8 0x7fcb0d7c5f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/ImageMagick/coders/sixel.c:289:12 in sixel_decode
Shadow bytes around the buggy address:
0x0c427fff8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8ea0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==108451==ABORTING

@littleputa littleputa reopened this Jan 4, 2018
@dlemstra
Copy link
Member

dlemstra commented Jan 4, 2018

@littleputa Could you put the trace in a code block next time so you don't reference all those issues?

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@littleputa
Copy link
Author

credit: nsfocus security team.

@littleputa
Copy link
Author

CVE-2018-5248

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants