The above line reads coefficientBuffer as much as 7*sizeof(*resizeFilterCoefficient) that is 7*8 because resizeFilterCoefficient is declared as a double type, on the other hand, the size of coefficientBuffer is 7*4 because it's a float array.
I can reproduce this crash only in 32-bit machine, I'm not sure why. also, this requires openCL support.
Steps to Reproduce
Compile ImageMagick with address sanitizer in 32-bit mode, and use this test.pict to run magick. this crash is triggered when it's zooming, so I added -resize 200% option.
$ ./build/bin/magick convert test.pict -resize 200% output.png =================================================================
==38459==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffa58f4c at pc 0x08092d00 bp 0xffa58df8 sp 0xffa589d0
READ of size 56 at 0xffa58f4c thread T0
#0 0x8092cff in memcpy (/home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/build/bin/magick+0x8092cff)
#1 0xefa5ad15 (/usr/lib32/libnvidia-opencl.so.1+0xc6d15)
#2 0xefa5ae36 (/usr/lib32/libnvidia-opencl.so.1+0xc6e36)
#3 0x81f156c in CreateOpenCLBuffer /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:470:10
#4 0x8ad64f7 in ComputeResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4327:27
#5 0x8ad5d16 in AccelerateResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4458:17
#6 0x82efd01 in ResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/resize.c:2920:16
#7 0x820c761 in RunOpenCLBenchmark /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:1072:18
#8 0x820c2c4 in RunDeviceBenckmark /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:1109:17
#9 0x8208b2a in BenchmarkOpenCLDevices /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:1198:7
#10 0x8200095 in AutoSelectOpenCLDevices /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:996:5
#11 0x81fa59c in InitializeOpenCL /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/opencl.c:2407:9
#12 0x8aa6cb1 in getOpenCLEnvironment /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:224:7
#13 0x8ad5ca6 in AccelerateResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4454:9
#14 0x82efd01 in ResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/resize.c:2920:16
#15 0x9611ff1 in MogrifyImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/mogrify.c:2677:27
#16 0x971c478 in MogrifyImages /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/mogrify.c:8933:13
#17 0x9473027 in ConvertImageCommand /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/convert.c:3273:3
#18 0x95edd7d in MagickCommandGenesis /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickWand/mogrify.c:183:14
#19 0x81766cd in MagickMain /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/utilities/magick.c:149:10
#20 0x8175d68 in main /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/utilities/magick.c:180:10
#21 0xf777c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#22 0x8077a77 in _start (/home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/build/bin/magick+0x8077a77)
Address 0xffa58f4c is located in stack of thread T0 at offset 44 in frame
#0 0x8ad5ecf in ComputeResizeImage /home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/MagickCore/accelerate.c:4266
This frame has 1 object(s):
[16, 44) 'coefficientBuffer' (line 4282) <== Memory access at offset 44 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/tunz/working/ossfuzz/magick/ImageMagick-7.0.7-22/build/bin/magick+0x8092cff) in memcpy
Shadow bytes around the buggy address:
0x3ff4b190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3ff4b1e0: 00 00 00 00 f1 f1 00 00 00[04]f3 f3 f3 f3 00 00
0x3ff4b1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff4b230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==38459==ABORTING
System Configuration
ImageMagick version: 7.0.7-22 32bit
Environment (Operating system, version and so on): Ubuntu 16.04
Additional information:
Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team
The text was updated successfully, but these errors were encountered:
Prerequisites
Description
I found that magick reads a buffer over the buffer size at the following line.
ImageMagick/MagickCore/accelerate.c
Lines 4327 to 4328 in 0446b21
The above line reads
coefficientBufferas much as7*sizeof(*resizeFilterCoefficient)that is7*8becauseresizeFilterCoefficientis declared as adoubletype, on the other hand, the size ofcoefficientBufferis7*4because it's a float array.ImageMagick/MagickCore/accelerate.c
Lines 4279 to 4283 in 0446b21
I can reproduce this crash only in 32-bit machine, I'm not sure why. also, this requires openCL support.
Steps to Reproduce
Compile ImageMagick with address sanitizer in 32-bit mode, and use this test.pict to run magick. this crash is triggered when it's zooming, so I added
-resize 200%option.System Configuration
Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team
The text was updated successfully, but these errors were encountered: