out-of-bounds read in coders/meta.c:465

Bug #1537422 reported by Moshe Kaplan on 2016-01-24
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ImageMagick
Fix Released
Unknown
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

=================================================================
==19799==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb480485d at pc 0x85b324e bp 0xbfcaa3a8 sp 0xbfcaa3a0
READ of size 1 at 0xb480485d thread T0
    #0 0x85b324d in parse8BIM /home/user/Desktop/ImageMagick/coders/meta.c:465
    #1 0x85b324d in ReadMETAImage /home/user/Desktop/ImageMagick/coders/meta.c:1201
    #2 0x8a9438a in ReadImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:494
    #3 0x8a9c1ff in ReadImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:844
    #4 0x9371649 in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4663
    #5 0x9379b31 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
    #6 0x910713d in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:474
    #7 0x910a4b5 in MagickImageCommand /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:786
    #8 0x910e999 in MagickCommandGenesis /home/user/Desktop/ImageMagick/MagickWand/mogrify.c:172
    #9 0x80de12d in MagickMain /home/user/Desktop/ImageMagick/utilities/magick.c:74
    #10 0x80de12d in main /home/user/Desktop/ImageMagick/utilities/magick.c:85
    #11 0xb74bba82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #12 0x80ddf54 in _start (/usr/local/bin/magick+0x80ddf54)

0xb480485d is located 0 bytes to the right of 61-byte region [0xb4804820,0xb480485d)
allocated by thread T0 here:
    #0 0x80c6b81 in malloc (/usr/local/bin/magick+0x80c6b81)
    #1 0x81932f9 in AcquireMagickMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:475
    #2 0x81932f9 in AcquireQuantumMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:548
    #3 0x8a9438a in ReadImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:494
    #4 0x8a9c1ff in ReadImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:844
    #5 0x9371649 in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4663
    #6 0x9379b31 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
    #7 0x910713d in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:474

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/ImageMagick/coders/meta.c:465 parse8BIM
Shadow bytes around the buggy address:
  0x369008b0: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x369008c0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
  0x369008d0: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x369008e0: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x369008f0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
=>0x36900900: fa fa fa fa 00 00 00 00 00 00 00[05]fa fa fa fa
  0x36900910: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x36900920: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
  0x36900930: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x36900940: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x36900950: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==19799==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Moshe Kaplan (mk-moshe-kaplan) wrote :

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on git commit 87b213f9e2578611654a74ea0c6014367f4dc2fa

Command: magick $infile /dev/null

summary: - heap-buffer-overflow in coders/meta.c:465
+ out-of-bounds read in coders/meta.c:465
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
Changed in imagemagick:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.