magick: InvalidColormapIndex `buffer-overflow-SetGrayscaleImage' @ warning/image.c/SyncImage/3767.
=================================================================
==6554==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000083b8 at pc 0x7f12cab0b2a7 bp 0x7fffab5f2640 sp 0x7fffab5f2638
READ of size 8 at 0x6020000083b8 thread T0
#0 0x7f12cab0b2a6 in SetGrayscaleImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:3444:37
#1 0x7f12cab066e6 in QuantizeImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:2668:16
#2 0x7f12ca7688cc in SetImageType /home/henices/tests/ImageMagick/MagickCore/attribute.c:1264:14
#3 0x7f12cafeb829 in WriteSUNImage /home/henices/tests/ImageMagick/coders/sun.c:950:18
#4 0x7f12ca815f30 in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1117:14
#5 0x7f12ca816eab in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1336:13
#6 0x7f12ca158de8 in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
#7 0x7f12ca15caa5 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
#8 0x7f12c9fa58ee in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
#9 0x7f12c9fa6648 in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
#10 0x7f12c9fec78a in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
#11 0x50d6cc in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
#12 0x50d0d1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
#13 0x7f12c3ee2009 in __libc_start_main (/lib64/libc.so.6+0x21009)
#14 0x41a2d9 in _start (/usr/local/bin/magick+0x41a2d9)
0x6020000083b8 is located 0 bytes to the right of 8-byte region [0x6020000083b0,0x6020000083b8)
allocated by thread T0 here:
#0 0x4d6880 in __interceptor_malloc (/usr/local/bin/magick+0x4d6880)
#1 0x7f12caa4fa56 in AcquireMagickMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:468:10
#2 0x7f12caa4fabf in AcquireQuantumMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:541:10
#3 0x7f12cab0a22e in SetGrayscaleImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:3322:32
#4 0x7f12cab066e6 in QuantizeImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:2668:16
#5 0x7f12ca7688cc in SetImageType /home/henices/tests/ImageMagick/MagickCore/attribute.c:1264:14
#6 0x7f12cafeb829 in WriteSUNImage /home/henices/tests/ImageMagick/coders/sun.c:950:18
#7 0x7f12ca815f30 in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1117:14
#8 0x7f12ca816eab in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1336:13
#9 0x7f12ca158de8 in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
#10 0x7f12ca15caa5 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
#11 0x7f12c9fa58ee in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
#12 0x7f12c9fa6648 in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
#13 0x7f12c9fec78a in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
#14 0x50d6cc in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
#15 0x50d0d1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
#16 0x7f12c3ee2009 in __libc_start_main (/lib64/libc.so.6+0x21009)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/ImageMagick/MagickCore/quantize.c:3444:37 in SetGrayscaleImage
Shadow bytes around the buggy address:
0x0c047fff9020: fa fa 00 07 fa fa 00 05 fa fa 00 05 fa fa 00 06
0x0c047fff9030: fa fa 00 05 fa fa 00 04 fa fa 00 06 fa fa 00 00
0x0c047fff9040: fa fa 00 03 fa fa 00 03 fa fa 00 03 fa fa 00 04
0x0c047fff9050: fa fa 00 06 fa fa 00 06 fa fa fd fd fa fa 00 07
0x0c047fff9060: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff9070: fa fa fd fd fa fa 00[fa]fa fa fa fa fa fa fa fa
0x0c047fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6554==ABORTING
INFO
Version: ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png tiff webp wmf x xml zlib
Trigger Command: magick buffer-overflow-SetGrayscaleImage /dev/null
ASAN OUTPUT
testcase:
https://github.com/henices/pocs/raw/master/buffer-overflow-SetGrayscaleImage
Credit: NSFocus Security Team <security (at) nsfocus (dot) com>
The text was updated successfully, but these errors were encountered: