out-of-bounds read in coders/rle.c:590 ReadRLEImage
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug was found while fuzzing ImageMagick with afl-fuzz
Tested on ImageMagick version d8382f9c0ffa520
Command: magick infile /dev/null
Build info:
#Configure command:
CC=afl-clang-fast CXX=afl-
#Make command:
CC=afl-clang-fast CXX=afl-
ASAN output:
==2495==ERROR: AddressSanitizer: heap-buffer-
READ of size 1 at 0xb5006e40 thread T0
#0 0x87bb423 in ReadRLEImage /home/user/
#1 0x8a8b97a in ReadImage /home/user/
#2 0x8a937ef in ReadImages /home/user/
#3 0x93754a9 in CLINoImageOperator /home/user/
#4 0x937d98f in CLIOption /home/user/
#5 0x910afad in ProcessCommandO
#6 0x910e325 in MagickImageCommand /home/user/
#7 0x9112809 in MagickCommandGe
#8 0x80de10d in MagickMain /home/user/
#9 0x80de10d in main /home/user/
#10 0xb756ba82 in __libc_start_main /build/
#11 0x80ddf34 in _start (/home/
0xb5006e40 is located 0 bytes to the right of 6464-byte region [0xb5005500,
allocated by thread T0 here:
#0 0x80c7001 in __interceptor_
#1 0x8194163 in AcquireAlignedM
#2 0x8194163 in AcquireVirtualM
#3 0x87b0615 in ReadRLEImage /home/user/
#4 0x8a8b97a in ReadImage /home/user/
#5 0x8a937ef in ReadImages /home/user/
#6 0x93754a9 in CLINoImageOperator /home/user/
#7 0x937d98f in CLIOption /home/user/
#8 0x910afad in ProcessCommandO
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x36a00d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a00dc0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x36a00dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
information type: | Private Security → Public Security |
summary: |
- heap-buffer-overflow in coders/rle.c:590 ReadRLEImage + out-of-bounds read in coders/rle.c:590 ReadRLEImage |
Changed in imagemagick (Ubuntu): | |
status: | New → Confirmed |
https:/ /github. com/ImageMagick /ImageMagick/ issues/ 82