Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-underflow #973

Closed
SmileBugs opened this issue Feb 7, 2018 · 13 comments

Comments

Projects
None yet
4 participants
@SmileBugs
Copy link

commented Feb 7, 2018

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-22 Q16 i686 2018-02-07 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI Modules OpenMP
Delegates (built-in): bzlib cairo djvu fftw flif fontconfig fpx freetype jbig jng jp2 jpeg lcms ltdl openexr pangocairo png raw rsvg tiff webp wmf x xml zlib

libfpx ::ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/libfpx-1.3.1-10.tar.gz

ASAN OUTPUT

root@v22017125319057172:/opt/lib_fuzz/test# convert not_kitty.bmp not_kitty.FPX
=================================================================
==4302==ERROR: AddressSanitizer: stack-buffer-underflow on address 0xbfab3a78 at pc 0xaff403b8 bp 0xbfab39f8 sp 0xbfab39e8
READ of size 16 at 0xbfab3a78 thread T0
    #0 0xaff403b7 in OLEProperty::operator=(tagFILETIME const&) /opt/lib/libfpx-1.3.1-10/ole/oleprop.cpp:260
    #1 0xafdece4b in PFileFlashPixView::InitSummaryInfoPropertySet() /opt/lib/libfpx-1.3.1-10/fpx/f_fpxvw.cpp:1199
    #2 0xafdef6f9 in PFileFlashPixView::Init() /opt/lib/libfpx-1.3.1-10/fpx/f_fpxvw.cpp:237
    #3 0xafdf3187 in PFileFlashPixView::PFileFlashPixView(FicNom&, char const*, mode_Ouverture, unsigned int) /opt/lib/libfpx-1.3.1-10/fpx/f_fpxvw.cpp:121
    #4 0xafe27419 in PFlashPixImageView::PFlashPixImageView(FicNom&, int, int, float, FPXBaselineColorSpace, unsigned long, FPXCompressionOption, unsigned char, unsigned char) /opt/lib/libfpx-1.3.1-10/fpx/fpximgvw.cpp:282
    #5 0xafe3df6c in CreateImageByFilename(FicNom&, unsigned int, unsigned int, unsigned int, unsigned int, FPXColorspace, FPXBackground, FPXCompressionOption, PFlashPixImageView**) /opt/lib/libfpx-1.3.1-10/fpx/fpxlibio.cpp:1411
    #6 0xafe3e664 in FPX_CreateImageByFilename /opt/lib/libfpx-1.3.1-10/fpx/fpxlibio.cpp:1461
    #7 0xb3c6ba79 in WriteFPXImage coders/fpx.c:865
    #8 0xb63cd04f in WriteImage MagickCore/constitute.c:1117
    #9 0xb63cec1f in WriteImages MagickCore/constitute.c:1336
    #10 0xb5b97e4a in ConvertImageCommand MagickWand/convert.c:3280
    #11 0xb5db7a35 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x8049abe in MagickMain utilities/magick.c:149
    #13 0x804907a in main utilities/magick.c:180
    #14 0xb58bf636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #15 0x80490fb  (/usr/bin/magick+0x80490fb)


Address 0xbfab3a78 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-buffer-underflow /opt/lib/libfpx-1.3.1-10/ole/oleprop.cpp:260 OLEProperty::operator=(tagFILETIME const&)
Shadow bytes around the buggy address:
  0x37f566f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x37f56740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00]
  0x37f56750: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x37f56760: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f56770: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2
  0x37f56780: f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
  0x37f56790: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4302==ABORTING

POC

not_kitty.zip

System Configuration

  • ImageMagick version: 7.0.7-22
  • Environment (Operating system, version and so on): ubuntu-16.04.3-server-i386
  • Additional information:

Found by: Wang Yan

@dlemstra

This comment has been minimized.

Copy link
Member

commented Feb 7, 2018

@SmileBugs Thanks for reporting this 👍 Could you make sure you put your stack trace in a code block next time (you can also edit this one)? You are now referencing other unrelated issues.

@SmileBugs

This comment has been minimized.

Copy link
Author

commented Feb 7, 2018

@dlemstra Sorry my English is not so good. I don't quite understand what you mean. I don't know who is in the libfpx library so it is submitted here.

@dlemstra

This comment has been minimized.

Copy link
Member

commented Feb 7, 2018

When you use #10 in your message without adding the ``` (code) tags it will like with other issues. Adding that tag will prevent that.

@SmileBugs

This comment has been minimized.

Copy link
Author

commented Feb 7, 2018

ok,Will you fix this bug?

@dlemstra

This comment has been minimized.

Copy link
Member

commented Feb 7, 2018

We maintain the libfpx library so we will take a look at this. It will probably take a couple days before we have time to take a look at it.

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Feb 9, 2018

Let us qualify. We maintain the libfpx delegate library as a service to the community but we do not "officially" maintain it-- meaning we typically rely on the user community to submit a patch and we will apply it and stage a new release.

@SmileBugs

This comment has been minimized.

Copy link
Author

commented Feb 10, 2018

credit: zxsoft security team.

@SmileBugs

This comment has been minimized.

Copy link
Author

commented Feb 10, 2018

CVE-2018-6876.

@butterflyhack

This comment has been minimized.

Copy link

commented Mar 2, 2018

这个漏洞只在32位上面触发?我用ubuntu16 64位,测试没有触发漏洞。那个libfpx要替换?

@dlemstra

This comment has been minimized.

Copy link
Member

commented Mar 2, 2018

@butterflyhack

This comment has been minimized.

Copy link

commented Mar 2, 2018

@dlemstra ,I run the poc on the ubuntu16 64bit, but no crash. where is the libfpx ?

@dlemstra

This comment has been minimized.

Copy link
Member

commented Mar 9, 2018

@SmileBugs Are you responsible for the content of the CVE message? The message states that the issue can be reproduced with just a crafted bmp image. But that is incorrect. The most important part is that you need to write a FPX image. And this is also not an ImageMagick issue but an issue with the libfpx library that is used by ImageMagick.

@SmileBugs

This comment has been minimized.

Copy link
Author

commented Mar 12, 2018

@dlemstra I clearly stated that libfpx is a problem. ImageMagick is only affected.About the need to write FPX pictures I submitted at the time did not write so detailed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.