Ubuntu
imagemagick package

out-of-bounds read in coders/pcx.c:536

Bug #1542109 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ImageMagick
Fix Released
Unknown
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit %s

Command: magick id:000169,sig:06,src:000734+004696,op:splice,rep:128 /dev/null

=================================================================
==32731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3503080 at pc 0x8652c1c bp 0xbfc261a8 sp 0xbfc261a0
READ of size 1 at 0xb3503080 thread T0
    #0 0x8652c1b in ReadPCXImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/pcx.c:536
    #1 0x8a8ad6a in ReadImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:494
    #2 0x8a92bdf in ReadImages /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:844
    #3 0x9375c09 in CLINoImageOperator /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:4685
    #4 0x937e0f1 in CLIOption /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:5179
    #5 0x910ae9d in ProcessCommandOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:474
    #6 0x910e215 in MagickImageCommand /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:786
    #7 0x91126f9 in MagickCommandGenesis /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/mogrify.c:172
    #8 0x80de16d in MagickMain /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:74
    #9 0x80de16d in main /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:85
    #10 0xb7477a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #11 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0xb3503080 is located 0 bytes to the right of 2048-byte region [0xb3502880,0xb3503080)
allocated by thread T0 here:
    #0 0x80c7061 in __interceptor_posix_memalign (/usr/local/bin/magick+0x80c7061)
    #1 0x8189123 in AcquireAlignedMemory /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:273
    #2 0x8189123 in AcquireVirtualMemory /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:597
    #3 0x864a867 in ReadPCXImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/pcx.c:394
    #4 0x8a8ad6a in ReadImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:494
    #5 0x8a92bdf in ReadImages /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:844
    #6 0x9375c09 in CLINoImageOperator /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:4685
    #7 0x937e0f1 in CLIOption /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:5179
    #8 0x910ae9d in ProcessCommandOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:474

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/pcx.c:536 ReadPCXImage
Shadow bytes around the buggy address:
  0x366a05c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x366a05d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x366a05e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x366a05f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x366a0600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x366a0610:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366a0620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366a0630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366a0640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x366a0650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x366a0660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==32731==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

Reported upstream at: https://github.com/ImageMagick/ImageMagick/issues/118

Seth Arnold (seth-arnold)
Changed in imagemagick (Ubuntu):
status: New → Confirmed
broucaries (roucaries-bastien+bugs)
Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in imagemagick:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.