An out-of-bounds read vulnerability exists within the "LibRaw::adobe_copy_pixel()" function (libraw\src\decoders\dng.cpp) when parsing a crafted DNG file.
Thank you for your time on patch. I do not have a test environment, but as the patch is simple I could
patch ImageMagick binary and confirm that provided PoC does not crash it anymore.
GirlElecta
changed the title
out-of-bounds read in libraw\src\decoders\dng.cpp
"LibRaw::adobe_copy_pixel()" Out-of-bounds read vulnerability
Jun 15, 2020
Description
An out-of-bounds read vulnerability exists within the "LibRaw::adobe_copy_pixel()" function (libraw\src\decoders\dng.cpp) when parsing a crafted DNG file.
Steps to Reproduce
(poc archive password= girlelecta):
https://drive.google.com/file/d/1kDMhDwfxoZBa31_vrsA2TfQI45FG8NRW/view
cmd:
magick.exe convert poc.DNG new.png
Upon running this, following crash happens (Note: I enabled page heap on magick.exe):
Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\magick.exe convert E:\Workspace\poc.DNG E:\Workspace\new.png
************* Path validation summary **************
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff7 d89d0000 00007ff7 d89e2000 magick.exe
ModLoad: 00007ffe c1500000 00007ffe c16f0000 ntdll.dll
ModLoad: 00007ffe a8430000 00007ffe a84a1000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x2AA8: page heap enabled with flags 0x3.
ModLoad: 00007ffe bf9a0000 00007ffe bfa52000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe be510000 00007ffe be7b3000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe a87f0000 00007ffe a8812000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffe 8b440000 00007ffe 8b5fb000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffe 800e0000 00007ffe 80374000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffe c0ea0000 00007ffe c1034000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe bf580000 00007ffe bf5a1000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe c0910000 00007ffe c0936000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe be7c0000 00007ffe be954000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe beab0000 00007ffe beb4e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe beb80000 00007ffe bec7a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe c1280000 00007ffe c1323000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffe c0bb0000 00007ffe c0c4e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe 7ff10000 00007ffe 800da000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffe c0cc0000 00007ffe c0d57000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffe c02a0000 00007ffe c03c0000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe c1430000 00007ffe c149f000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffe a82a0000 00007ffe a8340000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffe a87c0000 00007ffe a87e7000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffe a8210000 00007ffe a8296000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffe a8400000 00007ffe a8423000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffe a81e0000 00007ffe a820a000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 0000015b 7f580000 0000015b 7f5aa000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffe 9a830000 00007ffe 9a94f000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffe 7f540000 00007ffe 7f87b000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffe bfa60000 00007ffe c0145000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffe bf530000 00007ffe bf57a000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffe c0b00000 00007ffe c0ba9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe bf5b0000 00007ffe bf8e6000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe be490000 00007ffe be510000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffe bec80000 00007ffe bf3ff000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffe be470000 00007ffe be48f000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffe be400000 00007ffe be44a000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffe be3d0000 00007ffe be3e0000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffe c1220000 00007ffe c1272000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffe be3e0000 00007ffe be3f1000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffe bf510000 00007ffe bf527000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffe c1040000 00007ffe c1196000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffe bd950000 00007ffe bd98a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe bd990000 00007ffe bda5a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffe c0220000 00007ffe c0228000 C:\WINDOWS\System32\NSI.dll
(2aa8.3a0): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe c15d121c cc int 3
0:000> g
ModLoad: 00007ffe c1400000 00007ffe c142e000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffe b9cb0000 00007ffe b9cbf000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 00007ffe 7f390000 00007ffe 7f53b000 E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 00007ffe 982d0000 00007ffe 983c6000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll
(2aa8.3a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_libraw_.dll
CORE_DB_libraw_!LibRaw::adobe_copy_pixel+0x95:
00007ffe 7f39dd25 0fb700 movzx eax,word ptr [rax] ds:0000015b 0b76e000=????
0:000> k
Child-SP RetAddr Call Site
00 0000003f 23be2e20 00007ffe 7f3c30e9 CORE_DB_libraw_!LibRaw::adobe_copy_pixel+0x95 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\decoders\dng.cpp @ 36]
01 0000003f 23be2e40 00007ffe 7f493628 CORE_DB_libraw_!LibRaw::lossless_dng_load_raw+0x569 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\decoders\dng.cpp @ 110]
02 0000003f 23be31b0 00007ffe 7f49d358 CORE_DB_libraw_!LibRaw::unpack+0xc18 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\decoders\unpack.cpp @ 283]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\IM_MOD_DB_DNG_.dll
03 0000003f 23be3370 00007ffe b9cb1989 CORE_DB_libraw_!libraw_unpack+0x48 [e:\workspace\imagemagick\imagemagick-7.0.10-7\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickCore_.dll
04 0000003f 23be33b0 00007ffe 8013b667 IM_MOD_DB_DNG_!ReadDNGImage+0x479 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\coders\dng.c @ 408]
05 0000003f 23be54c0 00007ffe 8013cde3 CORE_DB_MagickCore_!ReadImage+0x5e7 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-7.0.10-7\VisualMagick\bin\CORE_DB_MagickWand_.dll
06 0000003f 23bea6e0 00007ffe 7ff4aac3 CORE_DB_MagickCore_!ReadImages+0x393 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickcore\constitute.c @ 941]
07 0000003f 23beb790 00007ffe 7ffe4758 CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
08 0000003f 23bed2e0 00007ff7 d89d14ea CORE_DB_MagickWand_!MagickCommandGenesis+0x338 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\magickwand\mogrify.c @ 186]
09 0000003f 23bee450 00007ff7 d89d1693 magick!MagickMain+0x4ea [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 149]
0a 0000003f 23bef6c0 00007ff7 d89d1f24 magick!wmain+0x43 [e:\workspace\imagemagick\imagemagick-7.0.10-7\imagemagick\utilities\magick.c @ 195]
0b 0000003f 23bef700 00007ff7 d89d1e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]
0c 0000003f 23bef740 00007ff7 d89d1cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0d 0000003f 23bef7a0 00007ff7 d89d1f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
0e 0000003f 23bef7d0 00007ffe bf9b7bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
0f 0000003f 23bef800 00007ffe c156ced1 KERNEL32!BaseThreadInitThunk+0x14
10 0000003f 23bef830 00000000 00000000 ntdll!RtlUserThreadStart+0x21
System Configuration
Version: ImageMagick-7.0.10-Q16 https://imagemagick.org
License: https://imagemagick.org/script/license.php
Distributor ID: Microsoft Windows
Description: Windows 10
The text was updated successfully, but these errors were encountered: