Ubuntu
imagemagick package

out-of-bounds write in ./MagickCore/pixel-accessor.h:839

Bug #1542785 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit 5572ef67a81385837decff3746026b9abfd4a599

Command: magick id:000351,sig:06,src:005875,op:havoc,rep:128 /dev/null

=================================================================
==21278==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5404cc0 at pc 0x8fc9cf8 bp 0xbfd29cd8 sp 0xbfd29cd0
WRITE of size 2 at 0xb5404cc0 thread T0
    #0 0x8fc9cf7 in ImportCbYCrYQuantum /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/./MagickCore/pixel-accessor.h:839
    #1 0x8fc9cf7 in ImportQuantumPixels /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/quantum-import.c:4183
    #2 0x84b5417 in ReadDPXImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/dpx.c:1266
    #3 0x8a8b0fa in ReadImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:494
    #4 0x8a92f6f in ReadImages /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:844
    #5 0x9375259 in CLINoImageOperator /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:4680
    #6 0x937d741 in CLIOption /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:5174
    #7 0x910a89d in ProcessCommandOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:474
    #8 0x910dc15 in MagickImageCommand /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:786
    #9 0x91120f9 in MagickCommandGenesis /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/mogrify.c:172
    #10 0x80de16d in MagickMain /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:74
    #11 0x80de16d in main /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:85
    #12 0xb74f9a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #13 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0xb5404cc0 is located 0 bytes to the right of 4032-byte region [0xb5403d00,0xb5404cc0)
allocated by thread T0 here:
    #0 0x80c7061 in __interceptor_posix_memalign (/usr/local/bin/magick+0x80c7061)
    #1 0x81881bf in AcquireAlignedMemory /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:273
    #2 0x89a8e5e in OpenPixelCache /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/cache.c:3402
    #3 0x89b5d3f in GetImagePixelCache /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/cache.c:1583
    #4 0x89c2c29 in SyncImagePixelCache /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/cache.c:5023

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/./MagickCore/pixel-accessor.h:839 ImportCbYCrYQuantum
Shadow bytes around the buggy address:
  0x36a80940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a80950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a80960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a80970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a80980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a80990: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x36a809a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a809b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a809c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a809d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a809e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==21278==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

Reported upstream at https://github.com/ImageMagick/ImageMagick/issues/126

Marc Deslauriers (mdeslaur)
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.