Integer and Buffer overflow in coders/icon.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Bug summary: Memory is allocated based on the sum of a user-supplied value and a fixed value. That sum can overflow, causing only a small amount of memory to be allocated, while the program assumes more was allocated.
The bug is present in both Ubuntu's release 6.8.9.9 and the most recent release of Imagemagick, Version 6.9.1-3
This bug was found by examining code that matched the following regex: AcquireQuantumM
Technical details:
On line 313, icon_file.
On line 361, length=
On line 362, png=(unsigned char *) AcquireQuantumM
However, if length+16 overflows (for example, length == 2^32 - 15), it will only allocate memory for a single *png.
This is a problem, because the following lines assume that at least 16 bytes was allocated:
(void) CopyMagickMemor
png[12]=(unsigned char) icon_info.planes;
png[13]=(unsigned char) (icon_info.planes >> 8);
png[14]=(unsigned char) icon_info.
png[15]=(unsigned char) (icon_info.
And then the following line has a call to ReadBlob, and since length-16 will underflow (and the length is treated as a size_t), it will effectively execute a strcpy with the remaining data in the image file.
count=ReadBlob(
Stack traces:
Ubuntu release (v6.8.9.9):
Error: lt-convert: malloc.c:3530: _int_malloc: Assertion `(fwd->size & 0x4) == 0' failed.
user@ubuntu15:~$ libtool execute gdb ~/Downloads/
gdb$ r corruption.ico /dev/null
Starting program: /home/user/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-
lt-convert: malloc.c:3530: _int_malloc: Assertion `(fwd->size & 0x4) == 0' failed.
[New Thread 0xb4b89b40 (LWP 27859)]
Program received signal SIGABRT, Aborted.
-------
EAX: 0x00000000 EBX: 0x00006CCF ECX: 0x00006CCF EDX: 0x00000006 o d I t s z a P c
ESI: 0xB78B88A6 EDI: 0xB790F000 EBP: 0xB78B761C ESP: 0xBFFF2514 EIP: 0xB7FDBBE0
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
-------
=> 0xb7fdbbe0 <__kernel_
0xb7fdbbe1 <__kernel_
0xb7fdbbe2 <__kernel_
0xb7fdbbe3 <__kernel_
0xb7fdbbe4: int3
0xb7fdbbe5: cli
0xb7fdbbe6: (bad)
0xb7fdbbe7: call DWORD PTR [eax+eax*1]
-------
0xb7fdbbe0 in __kernel_vsyscall ()
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __malloc_assert (assertion=
#4 0xffffffff in _int_malloc (av=av@
#5 0xffffffff in __GI___libc_malloc (bytes=0x4104) at malloc.c:2895
#6 0xffffffff in AcquireMagickMemory (size=0x4104) at magick/memory.c:464
#7 0xffffffff in AcquireImageInfo () at magick/image.c:334
#8 0xffffffff in CloneImageInfo (image_
#9 0xffffffff in ReadICONImage (image_
#10 0xffffffff in ReadImage (image_
#11 0xffffffff in ReadImages (image_
#12 0xffffffff in ConvertImageCommand (image_info=0x2, argc=0x3, argv=0x8054ce8, metadata=0x0, exception=
#13 0xffffffff in MagickCommandGe
#14 0x080486ec in main (argv=0xbffff054, argc=<optimized out>) at utilities/
#15 0x080486ec in main (argc=0x3, argv=0xbffff054) at utilities/
Newest release: Version 6.9.1-3
Error: *** Error in `/home/
gdb$ r corruption.ico /dev/null
Starting program: /home/user/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-
*** Error in `/home/
[New Thread 0xb4b95b40 (LWP 27765)]
Program received signal SIGABRT, Aborted.
-------
EAX: 0x00000000 EBX: 0x00006C71 ECX: 0x00006C71 EDX: 0x00000006 o d I t s z a P c
ESI: 0x0000007F EDI: 0xB78F0000 EBP: 0xBFFF2608 ESP: 0xBFFF2344 EIP: 0xB7FDBBE0
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
-------
=> 0xb7fdbbe0 <__kernel_
0xb7fdbbe1 <__kernel_
0xb7fdbbe2 <__kernel_
0xb7fdbbe3 <__kernel_
0xb7fdbbe4: int3
0xb7fdbbe5: cli
0xb7fdbbe6: (bad)
0xb7fdbbe7: call DWORD PTR [eax+eax*1]
-------
0xb7fdbbe0 in __kernel_vsyscall ()
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __libc_message (do_abort=0x1, fmt=0xb789d444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/
#4 0xffffffff in malloc_printerr (action=<optimized out>, str=0xb7899549 "corrupted double-linked list", ptr=0x80833f8) at malloc.c:4965
#5 0xffffffff in malloc_consolidate (av=av@
#6 0xffffffff in _int_malloc (av=av@
#7 0xffffffff in __GI___libc_malloc (bytes=0x4104) at malloc.c:2895
#8 0xffffffff in AcquireMagickMemory (size=0x4104) at magick/memory.c:464
#9 0xffffffff in AcquireImageInfo () at magick/image.c:334
#10 0xffffffff in CloneImageInfo (image_
#11 0xffffffff in ReadICONImage (image_
#12 0xffffffff in ReadImage (image_
#13 0xffffffff in ReadImages (image_
#14 0xffffffff in ConvertImageCommand (image_info=0x2, argc=0x3, argv=0x8054d28, metadata=0x0, exception=
#15 0xffffffff in MagickCommandGe
#16 0x080486ec in main (argv=0xbffff054, argc=<optimized out>) at utilities/
#17 0x080486ec in main (argc=0x3, argv=0xbffff054) at utilities/
Changed in imagemagick (Ubuntu): | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
Including file that triggers the issue