Description
ubuntu@ubuntu:~/fuzz_py$ magick -version
Version: ImageMagick 7.0.7-17 Q16 x86_64 2017-12-26 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): fontconfig freetype png x zlib
ubuntu@ubuntu:~/fuzz_py$ magick montage poc.sixel /dev/null
==108451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000007500 at pc 0x7fcb10a33585 bp 0x7ffde25a2fd0 sp 0x7ffde25a2fc8
READ of size 1 at 0x621000007500 thread T0
#0 0x7fcb10a33584 in sixel_decode /home/ubuntu/ImageMagick/coders/sixel.c:289:12
#1 0x7fcb10a3455e in ReadSIXELImage /home/ubuntu/ImageMagick/coders/sixel.c:1027:7
#2 0x7fcb103a9af1 in ReadImage /home/ubuntu/ImageMagick/MagickCore/constitute.c:497:13
#3 0x7fcb103ac2f4 in ReadImages /home/ubuntu/ImageMagick/MagickCore/constitute.c:866:9
#4 0x7fcb0fcbe3c7 in MontageImageCommand /home/ubuntu/ImageMagick/MagickWand/montage.c:410:20
#5 0x7fcb0fc452d2 in MagickCommandGenesis /home/ubuntu/ImageMagick/MagickWand/mogrify.c:183:14
#6 0x4e4ce7 in MagickMain /home/ubuntu/ImageMagick/utilities/magick.c:149:10
#7 0x4e4ce7 in main /home/ubuntu/ImageMagick/utilities/magick.c:180
#8 0x7fcb0d7c5f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#9 0x41a10b in _start (/usr/local/bin/magick+0x41a10b)
0x621000007500 is located 0 bytes to the right of 4096-byte region [0x621000006500,0x621000007500)
allocated by thread T0 here:
#0 0x4b9ad3 in malloc (/usr/local/bin/magick+0x4b9ad3)
#1 0x7fcb10a3429d in ReadSIXELImage /home/ubuntu/ImageMagick/coders/sixel.c:1002:25
#2 0x7fcb103a9af1 in ReadImage /home/ubuntu/ImageMagick/MagickCore/constitute.c:497:13
#3 0x7fcb103ac2f4 in ReadImages /home/ubuntu/ImageMagick/MagickCore/constitute.c:866:9
#4 0x7fcb0fcbe3c7 in MontageImageCommand /home/ubuntu/ImageMagick/MagickWand/montage.c:410:20
#5 0x7fcb0fc452d2 in MagickCommandGenesis /home/ubuntu/ImageMagick/MagickWand/mogrify.c:183:14
#6 0x4e4ce7 in MagickMain /home/ubuntu/ImageMagick/utilities/magick.c:149:10
#7 0x4e4ce7 in main /home/ubuntu/ImageMagick/utilities/magick.c:180
#8 0x7fcb0d7c5f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/ImageMagick/coders/sixel.c:289:12 in sixel_decode
Shadow bytes around the buggy address:
0x0c427fff8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8ea0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==108451==ABORTING