Ubuntu
graphicsmagick package

out-of-bounds write in coders/pict.c:1929

Bug #1537724 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
graphicsmagick (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

This bug was found while fuzzing graphicsmagick with afl-fuzz

Tested on hg changeset 14720:3b1f1e0c1098

Command: gm convert id:000055,sig:06,src:000028,op:flip1,pos:562 /dev/null

=================================================================
==19754==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb391c4b8 at pc 0x881fdb5 bp 0xbfc1cb98 sp 0xbfc1cb90
WRITE of size 1 at 0xb391c4b8 thread T0
    #0 0x881fdb4 in WritePICTImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/pict.c:1929
    #1 0x824e050 in WriteImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:2208
    #2 0x824fb98 in WriteImages /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:2351
    #3 0x8144026 in ConvertImageCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:6087
    #4 0x8165066 in MagickCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:8862
    #5 0x81ed0dc in GMCommandSingle /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17338
    #6 0x81ea204 in GMCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17391
    #7 0x80d4a76 in main /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm.c:61
    #8 0xb754fa82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #9 0x80d4904 in _start (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80d4904)

0xb391c4b8 is located 0 bytes to the right of 32952-byte region [0xb3914400,0xb391c4b8)
allocated by thread T0 here:
    #0 0x80bd531 in __interceptor_malloc (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80bd531)
    #1 0x839bb38 in MagickMalloc /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/memory.c:156
    #2 0x824e050 in WriteImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:2208
    #3 0x824fb98 in WriteImages /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:2351

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/pict.c:1929 WritePICTImage
Shadow bytes around the buggy address:
  0x36723840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36723850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36723860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36723870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36723880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36723890: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x367238a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367238b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367238c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367238d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367238e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==19754==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

summary: - heap-buffer-overflow in coders/pict.c:1929
+ out-of-bounds write in coders/pict.c:1929
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for fuzzing graphicsmagick and reporting this issue. Since graphicsmagick is in universe, it is community maintained. I also see that you fuzzed a branch of the upstream Mercurial tree. If you are able, I suggest coordinating directly with upstream GraphicsMagick. Once fixes are available, you may want to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in graphicsmagick (Ubuntu):
status: New → Incomplete
Revision history for this message
Bob Friesenhahn (bfriesen) wrote :

This bug is present in all Ubuntu versions, is now fixed in upstream Mercurial, and the fix will be included in GraphicsMagick 1.3.24.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for graphicsmagick (Ubuntu) because there has been no activity for 60 days.]

Changed in graphicsmagick (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.