out-of-bounds read in coders/xcf.c:369:35

Bug #1539052 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick version Tested on git commit 8bc3ab67d818204fe5f0fe1dc29b873d37360461

Command: magick id:000036,sig:06,src:000016,op:flip2,pos:25 /dev/null

=================================================================
==12630==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5a03a00 at pc 0x88c37a6 bp 0xbf977fb8 sp 0xbf977fb0
READ of size 1 at 0xb5a03a00 thread T0
    #0 0x88c37a5 in load_tile /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/xcf.c:369:35
    #1 0x88c37a5 in load_level /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/xcf.c:656
    #2 0x88c37a5 in load_hierarchy /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/xcf.c:741
    #3 0x88c37a5 in ReadOneLayer /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/xcf.c:918
    #4 0x88c37a5 in ReadXCFImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/xcf.c:1310
    #5 0x8a940ba in ReadImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:494
    #6 0x8a9bf2f in ReadImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:844
    #7 0x93716d9 in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4663
    #8 0x9379bc1 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
    #9 0x91071cd in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:474
    #10 0x910a545 in MagickImageCommand /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:786
    #11 0x910ea29 in MagickCommandGenesis /home/user/Desktop/ImageMagick/MagickWand/mogrify.c:172
    #12 0x80de12d in MagickMain /home/user/Desktop/ImageMagick/utilities/magick.c:74
    #13 0x80de12d in main /home/user/Desktop/ImageMagick/utilities/magick.c:85
    #14 0xb74e0a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #15 0x80ddf54 in _start (/usr/local/bin/magick+0x80ddf54)

0xb5a03a00 is located 0 bytes to the right of 48-byte region [0xb5a039d0,0xb5a03a00)
allocated by thread T0 here:
    #0 0x80c6b81 in malloc (/usr/local/bin/magick+0x80c6b81)
    #1 0x8193319 in AcquireMagickMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:475
    #2 0x8193319 in AcquireQuantumMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:548
    #3 0x8a940ba in ReadImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:494
    #4 0x8a9bf2f in ReadImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:844
    #5 0x93716d9 in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4663
    #6 0x9379bc1 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
    #7 0x91071cd in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:474

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/xcf.c:369 load_tile
Shadow bytes around the buggy address:
  0x36b406f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b40700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b40710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b40720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b40730: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x36b40740:[fa]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 04
  0x36b40750: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
  0x36b40760: fa fa 00 00 00 00 00 04 fa fa fd fd fd fd fd fd
  0x36b40770: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 04
  0x36b40780: fa fa 00 00 00 00 00 04 fa fa fd fd fd fd fd fd
  0x36b40790: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==12630==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.