out-of-bounds read in coders/hdr.c:622

Bug #1537213 reported by Moshe Kaplan on 2016-01-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

=================================================================
==29740==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3302f40 at pc 0x85250f7 bp 0xbfa013a8 sp 0xbfa013a0
READ of size 1 at 0xb3302f40 thread T0
    #0 0x85250f6 in HDRWriteRunlengthPixels /home/user/Desktop/ImageMagick/coders/hdr.c:622
    #1 0x85250f6 in WriteHDRImage /home/user/Desktop/ImageMagick/coders/hdr.c:808
    #2 0x8a9ec28 in WriteImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1091
    #3 0x8aa260c in WriteImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1309
    #4 0x9371c9f in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4697
    #5 0x9379ab1 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
    #6 0x9107fb3 in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:526
    #7 0x910a435 in MagickImageCommand /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:786
    #8 0x910e919 in MagickCommandGenesis /home/user/Desktop/ImageMagick/MagickWand/mogrify.c:172
    #9 0x80de12d in MagickMain /home/user/Desktop/ImageMagick/utilities/magick.c:74
    #10 0x80de12d in main /home/user/Desktop/ImageMagick/utilities/magick.c:85
    #11 0xb7475a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #12 0x80ddf54 in _start (/usr/local/bin/magick+0x80ddf54)

0xb3302f40 is located 0 bytes to the right of 128-byte region [0xb3302ec0,0xb3302f40)
allocated by thread T0 here:
    #0 0x80c6b81 in malloc (/usr/local/bin/magick+0x80c6b81)
    #1 0x81932f9 in AcquireMagickMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:475
    #2 0x81932f9 in AcquireQuantumMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:548
    #3 0x8a9ec28 in WriteImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1091
    #4 0x8aa260c in WriteImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1309
    #5 0x9371c9f in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4697
    #6 0x9379ab1 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
    #7 0x9107fb3 in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:526

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/ImageMagick/coders/hdr.c:622 HDRWriteRunlengthPixels
Shadow bytes around the buggy address:
  0x36660590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366605a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366605b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366605c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366605d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x366605e0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x366605f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36660600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36660610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36660620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36660630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==29740==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Moshe Kaplan (mk-moshe-kaplan) wrote :

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick version Tested on git commit b5af2acfbf05cc6af1fc4a69d1fda2f497ca9719

Command: magick not_kiddy.hdr /dev/null

summary: - heap-buffer-overflow in coders/hdr.c:622
+ out-of-bounds read in coders/hdr.c:622
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.