out-of-bounds read in coders/viff.c:445 ReadVIFFImage

Bug #1533452 reported by Moshe Kaplan on 2016-01-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick version d8382f9c0ffa52057271a6a323e7e062f0fe4ff6

Command: magick infile /dev/null

Build info:

#Configure command:
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no

#Make command:
CC=afl-clang-fast CXX=afl-clang-fast++ make

ASAN output:

=================================================================
==20581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb480485c at pc 0x886f19e bp 0xbf8c63a8 sp 0xbf8c63a0
READ of size 4 at 0xb480485c thread T0
    #0 0x886f19d in ReadVIFFImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/viff.c:445
    #1 0x8a8b97a in ReadImage /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:494
    #2 0x8a937ef in ReadImages /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:844
    #3 0x93754a9 in CLINoImageOperator /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:4663
    #4 0x937d98f in CLIOption /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:5157
    #5 0x910afad in ProcessCommandOptions /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:474
    #6 0x910e325 in MagickImageCommand /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:786
    #7 0x9112809 in MagickCommandGenesis /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/mogrify.c:172
    #8 0x80de10d in MagickMain /home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick.c:74
    #9 0x80de10d in main /home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick.c:85
    #10 0xb7549a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #11 0x80ddf34 in _start (/home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick+0x80ddf34)

0xb480485c is located 0 bytes to the right of 60-byte region [0xb4804820,0xb480485c)
allocated by thread T0 here:
    #0 0x80c6b61 in malloc (/home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick+0x80c6b61)
    #1 0x81939e9 in AcquireMagickMemory /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/memory.c:463
    #2 0x81939e9 in AcquireQuantumMemory /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/memory.c:539
    #3 0x8a8b97a in ReadImage /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:494
    #4 0x8a937ef in ReadImages /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:844
    #5 0x93754a9 in CLINoImageOperator /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:4663
    #6 0x937d98f in CLIOption /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:5157
    #7 0x910afad in ProcessCommandOptions /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:474

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/viff.c:445 ReadVIFFImage
Shadow bytes around the buggy address:
  0x369008b0: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x369008c0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
  0x369008d0: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x369008e0: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x369008f0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
=>0x36900900: fa fa fa fa 00 00 00 00 00 00 00[04]fa fa fa fa
  0x36900910: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x36900920: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
  0x36900930: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x36900940: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x36900950: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==20581==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :
information type: Private Security → Public Security
summary: - out-of-bounds read in coders/psd.c:797 ReadPSDChannelPixels
+ out-of-bounds read in coders/coders/viff.c:445 ReadVIFFImage
summary: - out-of-bounds read in coders/coders/viff.c:445 ReadVIFFImage
+ out-of-bounds read in coders/viff.c:445 ReadVIFFImage
Changed in imagemagick (Ubuntu):
status: New → Triaged
Moshe Kaplan (mk-moshe-kaplan) wrote :
  • poc2 Edit (7.4 KiB, application/octet-stream)
Moshe Kaplan (mk-moshe-kaplan) wrote :

Resolved upstream

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.