Ubuntu
imagemagick package

out-of-bounds write in MagickCore/memory.c:723:10

Bug #1556273 reported by Moshe Kaplan on 2016-03-11

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	imagemagick (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit 712467450377a5c8642d6f4aead1f11d803c78a9

Command: magick id:000206,sig:06,src:005821,op:havoc,rep:4 /dev/null

=================================================================
==7820==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb531ca5f at pc 0x818c063 bp 0xbfcfbfa8 sp 0xbfcfbfa0
WRITE of size 65700 at 0xb531ca5f thread T0
    #0 0x818c062 in CopyMagickMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:723:10
    #1 0x87597e6 in RemoveICCProfileFromResourceBlock /home/user/Desktop/ImageMagick/coders/psd.c:2569
    #2 0x87597e6 in WritePSDImage /home/user/Desktop/ImageMagick/coders/psd.c:2779
    #3 0x8a8bd28 in WriteImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1091
    #4 0x8a8f70c in WriteImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1309
    #5 0x937560f in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4730
    #6 0x937d421 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5190
    #7 0x9108443 in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:526
    #8 0x910a8c5 in MagickImageCommand /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:786
    #9 0x910eda9 in MagickCommandGenesis /home/user/Desktop/ImageMagick/MagickWand/mogrify.c:172
    #10 0x80ddeed in MagickMain /home/user/Desktop/ImageMagick/utilities/magick.c:74
    #11 0x80ddeed in main /home/user/Desktop/ImageMagick/utilities/magick.c:85
    #12 0xb7495a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #13 0x80ddd14 in _start (/usr/local/bin/magick+0x80ddd14)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/ImageMagick/MagickCore/memory.c:723 CopyMagickMemory
Shadow bytes around the buggy address:
  0x36a638f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a63940: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x36a63950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==7820==ABORTING

Revision history for this message

Moshe Kaplan (moshekaplan) wrote on 2016-03-11:

id:000206,sig:06,src:005821,op:havoc,rep:4 Edit (1.3 KiB, application/octet-stream)

input file to trigger crash

Revision history for this message

Moshe Kaplan (moshekaplan) wrote on 2016-03-11:

https://github.com/ImageMagick/ImageMagick/issues/148

Revision history for this message

Steve Beattie (sbeattie) wrote on 2016-03-16:

Fixed upstream in https://github.com/ImageMagick/ImageMagick/commit/82e2049862a8b8a999e160734ad64fb6cc3b145f (but not in a release yet).

Changed in imagemagick (Ubuntu):
status:	New → Triaged

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-12-18:

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

-- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100