stack-buffer-underflow

[SmileBugs]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-22 Q16 i686 2018-02-07 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI Modules OpenMP
Delegates (built-in): bzlib cairo djvu fftw flif fontconfig fpx freetype jbig jng jp2 jpeg lcms ltdl openexr pangocairo png raw rsvg tiff webp wmf x xml zlib

libfpx :：ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/libfpx-1.3.1-10.tar.gz

ASAN OUTPUT

root@v22017125319057172:/opt/lib_fuzz/test# convert not_kitty.bmp not_kitty.FPX
=================================================================
==4302==ERROR: AddressSanitizer: stack-buffer-underflow on address 0xbfab3a78 at pc 0xaff403b8 bp 0xbfab39f8 sp 0xbfab39e8
READ of size 16 at 0xbfab3a78 thread T0
    #0 0xaff403b7 in OLEProperty::operator=(tagFILETIME const&) /opt/lib/libfpx-1.3.1-10/ole/oleprop.cpp:260
    #1 0xafdece4b in PFileFlashPixView::InitSummaryInfoPropertySet() /opt/lib/libfpx-1.3.1-10/fpx/f_fpxvw.cpp:1199
    #2 0xafdef6f9 in PFileFlashPixView::Init() /opt/lib/libfpx-1.3.1-10/fpx/f_fpxvw.cpp:237
    #3 0xafdf3187 in PFileFlashPixView::PFileFlashPixView(FicNom&, char const*, mode_Ouverture, unsigned int) /opt/lib/libfpx-1.3.1-10/fpx/f_fpxvw.cpp:121
    #4 0xafe27419 in PFlashPixImageView::PFlashPixImageView(FicNom&, int, int, float, FPXBaselineColorSpace, unsigned long, FPXCompressionOption, unsigned char, unsigned char) /opt/lib/libfpx-1.3.1-10/fpx/fpximgvw.cpp:282
    #5 0xafe3df6c in CreateImageByFilename(FicNom&, unsigned int, unsigned int, unsigned int, unsigned int, FPXColorspace, FPXBackground, FPXCompressionOption, PFlashPixImageView**) /opt/lib/libfpx-1.3.1-10/fpx/fpxlibio.cpp:1411
    #6 0xafe3e664 in FPX_CreateImageByFilename /opt/lib/libfpx-1.3.1-10/fpx/fpxlibio.cpp:1461
    #7 0xb3c6ba79 in WriteFPXImage coders/fpx.c:865
    #8 0xb63cd04f in WriteImage MagickCore/constitute.c:1117
    #9 0xb63cec1f in WriteImages MagickCore/constitute.c:1336
    #10 0xb5b97e4a in ConvertImageCommand MagickWand/convert.c:3280
    #11 0xb5db7a35 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x8049abe in MagickMain utilities/magick.c:149
    #13 0x804907a in main utilities/magick.c:180
    #14 0xb58bf636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #15 0x80490fb  (/usr/bin/magick+0x80490fb)


Address 0xbfab3a78 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-buffer-underflow /opt/lib/libfpx-1.3.1-10/ole/oleprop.cpp:260 OLEProperty::operator=(tagFILETIME const&)
Shadow bytes around the buggy address:
  0x37f566f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x37f56740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00]
  0x37f56750: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x37f56760: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56770: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2
  0x37f56780: f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
  0x37f56790: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4302==ABORTING

POC

not_kitty.zip

System Configuration

• ImageMagick version: 7.0.7-22
• Environment (Operating system, version and so on): ubuntu-16.04.3-server-i386
• Additional information:

Found by: Wang Yan

[dlemstra]

@SmileBugs Thanks for reporting this 👍 Could you make sure you put your stack trace in a code block next time (you can also edit this one)? You are now referencing other unrelated issues.

[SmileBugs]

@dlemstra Sorry my English is not so good. I don't quite understand what you mean. I don't know who is in the libfpx library so it is submitted here.

[dlemstra]

When you use #10 in your message without adding the ``` (code) tags it will like with other issues. Adding that tag will prevent that.

[SmileBugs]

ok,Will you fix this bug?

[dlemstra]

We maintain the libfpx library so we will take a look at this. It will probably take a couple days before we have time to take a look at it.

[urban-warrior]

Let us qualify. We maintain the libfpx delegate library as a service to the community but we do not "officially" maintain it-- meaning we typically rely on the user community to submit a patch and we will apply it and stage a new release.

[SmileBugs]

credit: zxsoft security team.

[SmileBugs]

CVE-2018-6876.

[butterflyhack]

这个漏洞只在32位上面触发？我用ubuntu16 64位，测试没有触发漏洞。那个libfpx要替换？

[dlemstra]

@butterflyhack ???

[butterflyhack]

@dlemstra ，I run the poc on the ubuntu16 64bit, but no crash. where is the libfpx ?

[dlemstra]

@SmileBugs Are you responsible for the content of the CVE message? The message states that the issue can be reproduced with just a crafted bmp image. But that is incorrect. The most important part is that you need to write a FPX image. And this is also not an ImageMagick issue but an issue with the libfpx library that is used by ImageMagick.

[SmileBugs]

@dlemstra I clearly stated that libfpx is a problem. ImageMagick is only affected.About the need to write FPX pictures I submitted at the time did not write so detailed.

[NicoleG25]

@SmileBugs , @dlemstra was this issue ever addressed? and if so could you kindly point out where?
Thanks in advance.

[dlemstra]

The ImageMagick team did not address this issue because this is a libfpx issue but we have no idea if that was resolved elsewhere. Maybe @SmileBugs knows.

[attritionorg]

@dlmestra I noticed that libfpx is a delegate of ImageMagick and a repo is maintained: https://github.com/ImageMagick/libfpx The readme says "This package is currently maintained by the ImageMagick Studio LLC," If this is not 'upstream', can you point to where that might be? The other three hits on GitHub seem to be clones or not a full repo.

[urban-warrior]

The ImageMagick team did not write nor does it maintain the libfpx delegate library other than we will accept patches from the user community, apply it, and then export a new release. We will not, however, debug and create patches ourselves. You can see from the ImageMagick repos we have more than enough to do given our small development team. After you determine the source of the bug and identify a patch, post it here and we will do the rest.