Ubuntu
imagemagick package

out-of-bounds write in coders/psd.c:2240 PSDPackbitsEncodeImage

Bug #1533450 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ImageMagick
Fix Released
Unknown
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick version d8382f9c0ffa52057271a6a323e7e062f0fe4ff6

Command: magick infile /dev/null

Build info:

#Configure command:
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no

#Make command:
CC=afl-clang-fast CXX=afl-clang-fast++ make

ASAN output:

=================================================================
==11236==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c0b992 at pc 0x8772e2a bp 0xbf9c1268 sp 0xbf9c1260
WRITE of size 1 at 0xb5c0b992 thread T0
    #0 0x8772e29 in PSDPackbitsEncodeImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2240
    #1 0x876fb3b in WritePackbitsLength /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2279
    #2 0x876c48d in WriteImageChannels /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2379
    #3 0x8768fdc in WritePSDImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2959
    #4 0x8a96298 in WriteImage /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1091
    #5 0x8a99c7c in WriteImages /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1309
    #6 0x9375b7f in CLINoImageOperator /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:4697
    #7 0x937d98f in CLIOption /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:5157
    #8 0x910bea3 in ProcessCommandOptions /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:526
    #9 0x910e325 in MagickImageCommand /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:786
    #10 0x9112809 in MagickCommandGenesis /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/mogrify.c:172
    #11 0x80de10d in MagickMain /home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick.c:74
    #12 0x80de10d in main /home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick.c:85
    #13 0xb7539a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #14 0x80ddf34 in _start (/home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick+0x80ddf34)

0xb5c0b992 is located 0 bytes to the right of 2-byte region [0xb5c0b990,0xb5c0b992)
allocated by thread T0 here:
    #0 0x80c6b61 in malloc (/home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick+0x80c6b61)
    #1 0x81939e9 in AcquireMagickMemory /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/memory.c:463
    #2 0x81939e9 in AcquireQuantumMemory /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/memory.c:539
    #3 0x8768fdc in WritePSDImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2959
    #4 0x8a96298 in WriteImage /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1091
    #5 0x8a99c7c in WriteImages /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1309
    #6 0x9375b7f in CLINoImageOperator /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:4697
    #7 0x937d98f in CLIOption /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:5157
    #8 0x910bea3 in ProcessCommandOptions /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:526

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2240 PSDPackbitsEncodeImage
Shadow bytes around the buggy address:
  0x36b816e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 01
  0x36b816f0: fa fa 00 00 fa fa 00 00 fa fa 00 03 fa fa 00 00
  0x36b81700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b81710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b81720: fa fa fa fa fa fa fa fa fa fa 00 04 fa fa 04 fa
=>0x36b81730: fa fa[02]fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x36b81740: fa fa fd fa fa fa 00 00 fa fa 00 04 fa fa 00 00
  0x36b81750: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x36b81760: fa fa 00 04 fa fa 00 07 fa fa fd fa fa fa 00 00
  0x36b81770: fa fa 00 06 fa fa 00 00 fa fa 00 06 fa fa 00 00
  0x36b81780: fa fa 00 04 fa fa 00 00 fa fa 00 03 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==11236==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
Moshe Kaplan (moshekaplan)
information type: Private Security → Public Security
Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

https://github.com/ImageMagick/ImageMagick/issues/79

Moshe Kaplan (moshekaplan)
summary: - heap-buffer-overflow in coders/psd.c:2240 PSDPackbitsEncodeImage
+ out-of-bounds write in coders/psd.c:2240 PSDPackbitsEncodeImage
Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

Resolved upstream

Marc Deslauriers (mdeslaur)
Changed in imagemagick (Ubuntu):
status: New → Confirmed
broucaries (roucaries-bastien+bugs)
Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in imagemagick:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.