out-of-bounds read in MagickCore/memory.c:707:23

Bug #1542115 reported by Moshe Kaplan on 2016-02-05
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit %s

Command: magick id:000346,sig:06,src:005762,op:havoc,rep:32 /dev/null

=================================================================
==1064==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0950b2e4 at pc 0x80b2b26 bp 0xbfcdd908 sp 0xbfcdd4ec
READ of size 4096 at 0x0950b2e4 thread T0
    #0 0x80b2b25 in memcpy (/usr/local/bin/magick+0x80b2b25)
    #1 0x818b8fd in CopyMagickMemory /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:707:23
    #2 0x888dfb8 in ExtractPostscript /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/wpg.c:787
    #3 0x887f751 in ReadWPGImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/wpg.c:1077
    #4 0x8a8ad6a in ReadImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:494
    #5 0x8a92bdf in ReadImages /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:844
    #6 0x9375c09 in CLINoImageOperator /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:4685
    #7 0x937e0f1 in CLIOption /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:5179
    #8 0x910ae9d in ProcessCommandOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:474
    #9 0x910e215 in MagickImageCommand /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:786
    #10 0x91126f9 in MagickCommandGenesis /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/mogrify.c:172
    #11 0x80de16d in MagickMain /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:74
    #12 0x80de16d in main /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:85
    #13 0xb74c5a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #14 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0x0950b2e4 is located 60 bytes to the left of global variable '.str185' from 'MagickCore/magic.c' (0x950b320) of size 6
0x0950b2e4 is located 0 bytes to the right of global variable '.str184' from 'MagickCore/magic.c' (0x950b2e0) of size 4
  '.str184' is ascii string 'TTF'
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 memcpy
Shadow bytes around the buggy address:
  0x212a1600: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x212a1610: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x212a1620: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x212a1630: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x212a1640: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
=>0x212a1650: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9[04]f9 f9 f9
  0x212a1660: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x212a1670: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  0x212a1680: 06 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x212a1690: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x212a16a0: 03 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==1064==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Changed in imagemagick (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.