out-of-bounds write in coders/psd.c:2225
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| imagemagick (Ubuntu) |
Undecided
|
Unassigned |
Bug Description
This bug was found while fuzzing ImageMagick with afl-fuzz
Tested on ImageMagick git commit <unknown>
Command: magick id:000043,
magick: InvalidLength `/home/
=======
==31657==ERROR: AddressSanitizer: heap-buffer-
WRITE of size 1 at 0xb4003bc1 thread T0
#0 0x8767a19 in PSDPackbitsEnco
#1 0x87648eb in WritePackbitsLength /home/user/
#2 0x876123f in WriteImageChannels /home/user/
#3 0x875dd8c in WritePSDImage /home/user/
#4 0x8a961f8 in WriteImage /home/user/
#5 0x8a99bdc in WriteImages /home/user/
#6 0x937607f in CLINoImageOperator /home/user/
#7 0x937de91 in CLIOption /home/user/
#8 0x910bef3 in ProcessCommandO
#9 0x910e375 in MagickImageCommand /home/user/
#10 0x9112859 in MagickCommandGe
#11 0x80de16d in MagickMain /home/user/
#12 0x80de16d in main /home/user/
#13 0xb74dba82 in __libc_start_main /build/
#14 0x80ddf94 in _start (/usr/local/
0xb4003bc1 is located 0 bytes to the right of 257-byte region [0xb4003ac0,
allocated by thread T0 here:
#0 0x80c6bc1 in malloc (/usr/local/
#1 0x81888e9 in AcquireMagickMemory /home/user/
#2 0x81888e9 in AcquireQuantumM
#3 0x875dd8c in WritePSDImage /home/user/
#4 0x8a961f8 in WriteImage /home/user/
#5 0x8a99bdc in WriteImages /home/user/
#6 0x937607f in CLINoImageOperator /home/user/
#7 0x937de91 in CLIOption /home/user/
#8 0x910bef3 in ProcessCommandO
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x36800720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36800730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36800740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36800750: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x36800760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36800770: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
0x36800780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x36800790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x368007a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x368007b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x368007c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==31657==ABORTING
Moshe Kaplan (moshekaplan) wrote : | #1 |
Moshe Kaplan (moshekaplan) wrote : | #2 |
summary: |
- out-of-bounds write in - fuzz_results_2016_02_12/fuzzer01/crashes/id:000043,sig:06,src:000224,op:flip1,pos:15' - @ error/psd.c/ReadPSDChannelRLE/1002. + out-of-bounds write in coders/psd.c:2225 |
Steve Beattie (sbeattie) wrote : | #3 |
This appears to have been addressed upstream with https:/
Changed in imagemagick (Ubuntu): | |
status: | New → Triaged |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package imagemagick - 8:6.9.6.
---------------
imagemagick (8:6.9.
* debian/
per https:/
to Cristy <email address hidden>. Closes LP: #1645406.
-- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100
Changed in imagemagick (Ubuntu): | |
status: | Triaged → Fix Released |
input file to trigger crash