Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in SetGrayscaleImage #956

Closed
henices opened this issue Jan 24, 2018 · 2 comments
Closed

heap-buffer-overflow in SetGrayscaleImage #956

henices opened this issue Jan 24, 2018 · 2 comments
Labels

Comments

@henices
Copy link
Contributor

henices commented Jan 24, 2018

INFO

Version: ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png tiff webp wmf x xml zlib

Trigger Command: magick buffer-overflow-SetGrayscaleImage /dev/null

ASAN OUTPUT

magick: InvalidColormapIndex `buffer-overflow-SetGrayscaleImage' @ warning/image.c/SyncImage/3767.
=================================================================
==6554==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000083b8 at pc 0x7f12cab0b2a7 bp 0x7fffab5f2640 sp 0x7fffab5f2638
READ of size 8 at 0x6020000083b8 thread T0
    #0 0x7f12cab0b2a6 in SetGrayscaleImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:3444:37
    #1 0x7f12cab066e6 in QuantizeImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:2668:16
    #2 0x7f12ca7688cc in SetImageType /home/henices/tests/ImageMagick/MagickCore/attribute.c:1264:14
    #3 0x7f12cafeb829 in WriteSUNImage /home/henices/tests/ImageMagick/coders/sun.c:950:18
    #4 0x7f12ca815f30 in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1117:14
    #5 0x7f12ca816eab in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1336:13
    #6 0x7f12ca158de8 in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #7 0x7f12ca15caa5 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #8 0x7f12c9fa58ee in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #9 0x7f12c9fa6648 in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #10 0x7f12c9fec78a in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #11 0x50d6cc in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #12 0x50d0d1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #13 0x7f12c3ee2009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    #14 0x41a2d9 in _start (/usr/local/bin/magick+0x41a2d9)

0x6020000083b8 is located 0 bytes to the right of 8-byte region [0x6020000083b0,0x6020000083b8)
allocated by thread T0 here:
    #0 0x4d6880 in __interceptor_malloc (/usr/local/bin/magick+0x4d6880)
    #1 0x7f12caa4fa56 in AcquireMagickMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:468:10
    #2 0x7f12caa4fabf in AcquireQuantumMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:541:10
    #3 0x7f12cab0a22e in SetGrayscaleImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:3322:32
    #4 0x7f12cab066e6 in QuantizeImage /home/henices/tests/ImageMagick/MagickCore/quantize.c:2668:16
    #5 0x7f12ca7688cc in SetImageType /home/henices/tests/ImageMagick/MagickCore/attribute.c:1264:14
    #6 0x7f12cafeb829 in WriteSUNImage /home/henices/tests/ImageMagick/coders/sun.c:950:18
    #7 0x7f12ca815f30 in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1117:14
    #8 0x7f12ca816eab in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1336:13
    #9 0x7f12ca158de8 in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #10 0x7f12ca15caa5 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #11 0x7f12c9fa58ee in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #12 0x7f12c9fa6648 in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #13 0x7f12c9fec78a in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #14 0x50d6cc in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #15 0x50d0d1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #16 0x7f12c3ee2009 in __libc_start_main (/lib64/libc.so.6+0x21009)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/ImageMagick/MagickCore/quantize.c:3444:37 in SetGrayscaleImage
Shadow bytes around the buggy address:
  0x0c047fff9020: fa fa 00 07 fa fa 00 05 fa fa 00 05 fa fa 00 06
  0x0c047fff9030: fa fa 00 05 fa fa 00 04 fa fa 00 06 fa fa 00 00
  0x0c047fff9040: fa fa 00 03 fa fa 00 03 fa fa 00 03 fa fa 00 04
  0x0c047fff9050: fa fa 00 06 fa fa 00 06 fa fa fd fd fa fa 00 07
  0x0c047fff9060: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff9070: fa fa fd fd fa fa 00[fa]fa fa fa fa fa fa fa fa
  0x0c047fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6554==ABORTING

testcase:
https://github.com/henices/pocs/raw/master/buffer-overflow-SetGrayscaleImage

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Feb 9, 2018
@dlemstra dlemstra closed this as completed Feb 9, 2018
@nohmask
Copy link

nohmask commented May 21, 2018

This was assigned CVE-2018-11251.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants