Buffer overflows while processing DCM or PALM images
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
graphicsmagick (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
imagemagick (Fedora) |
Fix Released
|
Medium
|
|||
imagemagick (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
FRsirt rates this high risk. Remote compromises in web apps using magick might be possible.
This is what the Debian folks have patched in their graphicsmagick package:
* coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja.
* coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas
Pihlaja.
See http://
[correction: turns out I missed two additional heap checks; added them to the diff]
-------
diff -Naur imagemagick-
--- imagemagick-
+++ imagemagick-
@@ -2949,7 +2949,7 @@
/*
*/
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, MaxTextExtent-1); i++)
break;
diff -Naur imagemagick-
--- imagemagick-
+++ imagemagick-
@@ -397,7 +397,7 @@
for (i=0; i < (long) bytes_per_row; )
{
- count=ReadBlobB
+ count=Min(
@@ -430,6 +430,8 @@
if (bits_per_pixel == 16)
{
+ if (image->columns > 2*bytes_per_row)
+ ThrowReaderExce
for (x=0; x < (long) image->columns; x++)
{
@@ -446,6 +448,8 @@
for (x=0; x < (long) image->columns; x++)
{
+ if (ptr - one_row >= bytes_per_row)
+ ThrowReaderExce
-------
I cannot verify if this builds cleanly, since configure dies on me here:
configure:3001: gcc-3.4 -c -g -O2 conftest.c >&5
conftest.c:2: error: syntax error before "me"
configure:3007: $? = 1
configure: failed program was:
| #ifndef __cplusplus
| choke me
| #endif
configure:3151: checking for style of include used by make
configure:3179: result: GNU
configure:3207: checking dependency style of gcc-3.4
configure:3297: result: gcc3
configure:3320: checking how to run the C preprocessor
configure:3438: result: g++-3.4
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
configure:3468: $? = 1
configure: failed program was:
| /* confdefs.h. */
|
| #define PACKAGE_NAME "magick/magick.h"
| #define PACKAGE_TARNAME "magick-magick-h"
| #define PACKAGE_VERSION " "
| #define PACKAGE_STRING "magick/magick.h "
| #define PACKAGE_BUGREPORT "http://
| /* end confdefs.h. */
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
| Syntax error
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
[...]
description: | updated |
Changed in imagemagick: | |
assignee: | nobody → pitti |
importance: | Undecided → High |
Changed in imagemagick: | |
status: | Unknown → In Progress |
Changed in imagemagick: | |
status: | In Progress → Fix Committed |
Changed in imagemagick: | |
status: | Fix Committed → Fix Released |
Changed in imagemagick (Fedora): | |
importance: | Unknown → Medium |
Description of problem:
M. Joonas Pihlaja discovered security flaws in GraphicsMagick that also affect dcm.c:ReadDCMIm age() and palm.c: ReadPALMImage( ). Debian project includes a fix for GraphicsMagick
ImageMagick -- one possible buffer overflow in coders/
three possible heap overflows in
coders/
1.1.7 among other changes in their patch.
Version-Release number of selected component (if applicable):
How reproducible:
Potentially exploitable by maliciously crafted image.
Fix:
I attach the relevant part of the debian patch. It doesn't apply against
ImageMagick without modifications, because GraphicMagics project uses different
coding style. The patch needs to be reviewed and eventually needs to be rewritten.