Ubuntu
imagemagick package

out-of-bounds write in coders/psd.c:2225

Bug #1545180 reported by Moshe Kaplan on 2016-02-12

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	imagemagick (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit <unknown>

Command: magick id:000043,sig:06,src:000224,op:flip1,pos:15 /dev/null

magick: InvalidLength `/home/user/Desktop/FuzzImageMagick/fuzz_results_2016_02_12/fuzzer01/crashes/id:000043,sig:06,src:000224,op:flip1,pos:15' @ error/psd.c/ReadPSDChannelRLE/1002.
=================================================================
==31657==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4003bc1 at pc 0x8767a1a bp 0xbfe4ba18 sp 0xbfe4ba10
WRITE of size 1 at 0xb4003bc1 thread T0
    #0 0x8767a19 in PSDPackbitsEncodeImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2225
    #1 0x87648eb in WritePackbitsLength /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2289
    #2 0x876123f in WriteImageChannels /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2389
    #3 0x875dd8c in WritePSDImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2974
    #4 0x8a961f8 in WriteImage /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1091
    #5 0x8a99bdc in WriteImages /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1309
    #6 0x937607f in CLINoImageOperator /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:4714
    #7 0x937de91 in CLIOption /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:5174
    #8 0x910bef3 in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:526
    #9 0x910e375 in MagickImageCommand /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:786
    #10 0x9112859 in MagickCommandGenesis /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/mogrify.c:172
    #11 0x80de16d in MagickMain /home/user/Desktop/FuzzImageMagick/ImageMagick/utilities/magick.c:74
    #12 0x80de16d in main /home/user/Desktop/FuzzImageMagick/ImageMagick/utilities/magick.c:85
    #13 0xb74dba82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #14 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0xb4003bc1 is located 0 bytes to the right of 257-byte region [0xb4003ac0,0xb4003bc1)
allocated by thread T0 here:
    #0 0x80c6bc1 in malloc (/usr/local/bin/magick+0x80c6bc1)
    #1 0x81888e9 in AcquireMagickMemory /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/memory.c:475
    #2 0x81888e9 in AcquireQuantumMemory /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/memory.c:548
    #3 0x875dd8c in WritePSDImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2974
    #4 0x8a961f8 in WriteImage /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1091
    #5 0x8a99bdc in WriteImages /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1309
    #6 0x937607f in CLINoImageOperator /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:4714
    #7 0x937de91 in CLIOption /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:5174
    #8 0x910bef3 in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:526

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2225 PSDPackbitsEncodeImage
Shadow bytes around the buggy address:
  0x36800720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800750: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36800760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36800770: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x36800780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36800790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368007a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
  0x368007b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x368007c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==31657==ABORTING

Revision history for this message

Moshe Kaplan (moshekaplan) wrote on 2016-02-12:

id:000043,sig:06,src:000224,op:flip1,pos:15 Edit (56 bytes, application/octet-stream)

input file to trigger crash

Revision history for this message

Moshe Kaplan (moshekaplan) wrote on 2016-02-12:

https://github.com/ImageMagick/ImageMagick/issues/128

summary:

- out-of-bounds write in
- fuzz_results_2016_02_12/fuzzer01/crashes/id:000043,sig:06,src:000224,op:flip1,pos:15'
- @ error/psd.c/ReadPSDChannelRLE/1002.
+ out-of-bounds write in coders/psd.c:2225

Revision history for this message

Steve Beattie (sbeattie) wrote on 2016-02-17:

This appears to have been addressed upstream with https://github.com/ImageMagick/ImageMagick/commit/533ea3b9047c67f9af49703de672f6c2e443f747

Changed in imagemagick (Ubuntu):
status:	New → Triaged

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-12-18:

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

-- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100