Ubuntu
graphicsmagick package

out-of-bounds read in coders/xpm.c:150

Bug #1537602 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
graphicsmagick (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

This bug was found while fuzzing graphicsmagick with afl-fuzz

Tested on hg changeset 14720:3b1f1e0c1098

Command: gm convert %s /dev/null

=================================================================
==24621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3d02686 at pc 0x89c97b4 bp 0xbfe3fbd8 sp 0xbfe3fbd0
READ of size 1 at 0xb3d02686 thread T0
    #0 0x89c97b3 in ParseColor /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xpm.c:150
    #1 0x89c97b3 in ReadXPMImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xpm.c:347
    #2 0x8244d62 in ReadImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:1607
    #3 0x812c3ac in ConvertImageCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:4348
    #4 0x8165066 in MagickCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:8862
    #5 0x81ed0dc in GMCommandSingle /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17338
    #6 0x81ea204 in GMCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17391
    #7 0x80d4a76 in main /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm.c:61
    #8 0xb749fa82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #9 0x80d4904 in _start (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80d4904)

0xb3d02686 is located 0 bytes to the right of 2054-byte region [0xb3d01e80,0xb3d02686)
allocated by thread T0 here:
    #0 0x80bd531 in __interceptor_malloc (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80bd531)
    #1 0x839bb38 in MagickMalloc /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/memory.c:156
    #2 0x89c518e in ReadXPMImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xpm.c:306
    #3 0x8244d62 in ReadImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:1607
    #4 0x812c3ac in ConvertImageCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:4348
    #5 0x8165066 in MagickCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:8862
    #6 0x81ed0dc in GMCommandSingle /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17338
    #7 0x81ea204 in GMCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17391
    #8 0x80d4a76 in main /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm.c:61

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/xpm.c:150 ParseColor
Shadow bytes around the buggy address:
  0x367a0480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367a0490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367a04a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367a04b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367a04c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x367a04d0:[06]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367a04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367a0500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367a0510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367a0520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==24621==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

Moshe Kaplan (moshekaplan)
summary: - heap-buffer-overflow in coders/xpm.c:150
+ out-of-bounds read in coders/xpm.c:150
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for fuzzing graphicsmagick and reporting this issue. Since graphicsmagick is in universe, it is community maintained. I also see that you fuzzed a branch of the upstream Mercurial tree. If you are able, I suggest coordinating directly with upstream GraphicsMagick. Once fixes are available, you may want to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in graphicsmagick (Ubuntu):
status: New → Incomplete
Revision history for this message
Bob Friesenhahn (bfriesen) wrote :

This bug is present in all Ubuntu versions, is now fixed in upstream Mercurial, and the fix will be included in GraphicsMagick 1.3.24.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for graphicsmagick (Ubuntu) because there has been no activity for 60 days.]

Changed in graphicsmagick (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.