out-of-bounds read in MagickCore/pixel-accessor.h:778 SetPixelViaPixelInfo
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ImageMagick |
Fix Released
|
Unknown
|
|||
imagemagick (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug was found while fuzzing ImageMagick with afl-fuzz
Tested on ImageMagick version d8382f9c0ffa520
Command: magick infile /dev/null
Build info:
#Configure command:
CC=afl-clang-fast CXX=afl-
#Make command:
CC=afl-clang-fast CXX=afl-
ASAN output:
=======
==21361==ERROR: AddressSanitizer: heap-buffer-
READ of size 4 at 0xb3107468 thread T0
#0 0x877c882 in SetPixelViaPixe
#1 0x877c882 in ReadPSDChannelP
#2 0x8776ccb in ReadPSDChannelRaw /home/user/
#3 0x875eb8f in ReadPSDMergedImage /home/user/
#4 0x875eb8f in ReadPSDImage /home/user/
#5 0x8a8b97a in ReadImage /home/user/
#6 0x8a937ef in ReadImages /home/user/
#7 0x93754a9 in CLINoImageOperator /home/user/
#8 0x937d98f in CLIOption /home/user/
#9 0x910afad in ProcessCommandO
#10 0x910e325 in MagickImageCommand /home/user/
#11 0x9112809 in MagickCommandGe
#12 0x80de10d in MagickMain /home/user/
#13 0x80de10d in main /home/user/
#14 0xb7499a82 in __libc_start_main /build/
#15 0x80ddf34 in _start (/home/
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x36620e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36620e80: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
0x36620e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==21361==ABORTING
information type: | Private Security → Public Security |
summary: |
- heap-buffer-overflow in MagickCore/pixel-accessor.h:778 + out-of-bounds read in MagickCore/pixel-accessor.h:778 SetPixelViaPixelInfo |
Changed in imagemagick (Ubuntu): | |
status: | New → Confirmed |
Changed in imagemagick (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in imagemagick: | |
status: | Unknown → Fix Released |
https:/ /github. com/ImageMagick /ImageMagick/ issues/ 78