Ubuntu
graphicsmagick package

out-of-bounds read in coders/xcf.c:373

Bug #1537599 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
graphicsmagick (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

This bug was found while fuzzing graphicsmagick with afl-fuzz

Tested on hg changeset 14720:3b1f1e0c1098

Command: gm convert %s /dev/null

=================================================================
==15344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4a00b05 at pc 0x89c00b1 bp 0xbfbdc838 sp 0xbfbdc830
READ of size 1 at 0xb4a00b05 thread T0
    #0 0x89c00b0 in load_tile /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xcf.c:373
    #1 0x89c00b0 in load_level /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xcf.c:810
    #2 0x89c00b0 in load_hierarchy /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xcf.c:977
    #3 0x89c00b0 in ReadOneLayer /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xcf.c:1137
    #4 0x89c00b0 in ReadXCFImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xcf.c:1589
    #5 0x8244d62 in ReadImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:1607
    #6 0x812c3ac in ConvertImageCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:4348
    #7 0x8165066 in MagickCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:8862
    #8 0x81ed0dc in GMCommandSingle /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17338
    #9 0x81ea204 in GMCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17391
    #10 0x80d4a76 in main /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm.c:61
    #11 0xb74c5a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #12 0x80d4904 in _start (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80d4904)

0xb4a00b05 is located 0 bytes to the right of 21-byte region [0xb4a00af0,0xb4a00b05)
allocated by thread T0 here:
    #0 0x80bd531 in __interceptor_malloc (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80bd531)
    #1 0x839bb38 in MagickMalloc /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/memory.c:156
    #2 0x8244d62 in ReadImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:1607
    #3 0x812c3ac in ConvertImageCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:4348
    #4 0x8165066 in MagickCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:8862
    #5 0x81ed0dc in GMCommandSingle /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17338
    #6 0x81ea204 in GMCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17391
    #7 0x80d4a76 in main /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm.c:61

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xcf.c:373 load_tile
Shadow bytes around the buggy address:
  0x36940110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x36940160:[05]fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x36940170: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 06
  0x36940180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369401a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369401b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==15344==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

Moshe Kaplan (moshekaplan)
summary: - heap-buffer-overflow in coders/xcf.c:373
+ out-of-bounds read in coders/xcf.c:373
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for fuzzing graphicsmagick and reporting this issue. Since graphicsmagick is in universe, it is community maintained. I also see that you fuzzed a branch of the upstream Mercurial tree. If you are able, I suggest coordinating directly with upstream GraphicsMagick. Once fixes are available, you may want to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in graphicsmagick (Ubuntu):
status: New → Incomplete
Revision history for this message
Bob Friesenhahn (bfriesen) wrote :

This bug is present in all Ubuntu versions, is now fixed in upstream Mercurial, and the fix will be included in GraphicsMagick 1.3.24.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for graphicsmagick (Ubuntu) because there has been no activity for 60 days.]

Changed in graphicsmagick (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.