out-of-bounds read in coders/xpm.c:150
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
graphicsmagick (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
This bug was found while fuzzing graphicsmagick with afl-fuzz
Tested on hg changeset 14720:3b1f1e0c1098
Command: gm convert %s /dev/null
=======
==24621==ERROR: AddressSanitizer: heap-buffer-
READ of size 1 at 0xb3d02686 thread T0
#0 0x89c97b3 in ParseColor /home/user/
#1 0x89c97b3 in ReadXPMImage /home/user/
#2 0x8244d62 in ReadImage /home/user/
#3 0x812c3ac in ConvertImageCommand /home/user/
#4 0x8165066 in MagickCommand /home/user/
#5 0x81ed0dc in GMCommandSingle /home/user/
#6 0x81ea204 in GMCommand /home/user/
#7 0x80d4a76 in main /home/user/
#8 0xb749fa82 in __libc_start_main /build/
#9 0x80d4904 in _start (/home/
0xb3d02686 is located 0 bytes to the right of 2054-byte region [0xb3d01e80,
allocated by thread T0 here:
#0 0x80bd531 in __interceptor_
#1 0x839bb38 in MagickMalloc /home/user/
#2 0x89c518e in ReadXPMImage /home/user/
#3 0x8244d62 in ReadImage /home/user/
#4 0x812c3ac in ConvertImageCommand /home/user/
#5 0x8165066 in MagickCommand /home/user/
#6 0x81ed0dc in GMCommandSingle /home/user/
#7 0x81ea204 in GMCommand /home/user/
#8 0x80d4a76 in main /home/user/
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x367a0480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x367a0490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x367a04a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x367a04b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x367a04c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x367a04d0:[06]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x367a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x367a04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x367a0500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x367a0510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x367a0520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==24621==ABORTING
summary: |
- heap-buffer-overflow in coders/xpm.c:150 + out-of-bounds read in coders/xpm.c:150 |
input file to trigger crash