Ubuntu
graphicsmagick package

out-of-bounds read in coders/psd.c:1435

Bug #1537803 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
graphicsmagick (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

This bug was found while fuzzing graphicsmagick with afl-fuzz

Tested on hg changeset 14720:3b1f1e0c1098

Command: gm convert id:000063,sig:06,src:000084,op:flip1,pos:28 /dev/null

=================================================================
==30047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3c03ffc at pc 0x88a783e bp 0xbf9d76e8 sp 0xbf9d76e0
READ of size 4 at 0xb3c03ffc thread T0
    #0 0x88a783d in ReadPSDImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/psd.c:1435
    #1 0x8244d62 in ReadImage /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/constitute.c:1607
    #2 0x812c3ac in ConvertImageCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:4348
    #3 0x8165066 in MagickCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:8862
    #4 0x81ed0dc in GMCommandSingle /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17338
    #5 0x81ea204 in GMCommand /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/magick/command.c:17391
    #6 0x80d4a76 in main /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm.c:61
    #7 0xb7508a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #8 0x80d4904 in _start (/home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/utilities/gm+0x80d4904)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/graphicsmagick_fuzz_results/graphicsmagick/coders/psd.c:1435 ReadPSDImage
Shadow bytes around the buggy address:
  0x367807a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367807b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367807c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x367807d0: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
  0x367807e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x367807f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x36780800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36780810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36780820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36780830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36780840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==30047==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

summary: - heap-buffer-overflow in coders/psd.c:1435
+ out-of-bounds read in coders/psd.c:1435
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for fuzzing graphicsmagick and reporting this issue. Since graphicsmagick is in universe, it is community maintained. I also see that you fuzzed a branch of the upstream Mercurial tree. If you are able, I suggest coordinating directly with upstream GraphicsMagick. Once fixes are available, you may want to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in graphicsmagick (Ubuntu):
status: New → Incomplete
Revision history for this message
Bob Friesenhahn (bfriesen) wrote :

This bug is present in all Ubuntu versions, is now fixed in upstream Mercurial, and the fix will be included in GraphicsMagick 1.3.24.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for graphicsmagick (Ubuntu) because there has been no activity for 60 days.]

Changed in graphicsmagick (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.