out-of-bounds write in coders/psd.c:2225

Bug #1545180 reported by Moshe Kaplan on 2016-02-12
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit <unknown>

Command: magick id:000043,sig:06,src:000224,op:flip1,pos:15 /dev/null

magick: InvalidLength `/home/user/Desktop/FuzzImageMagick/fuzz_results_2016_02_12/fuzzer01/crashes/id:000043,sig:06,src:000224,op:flip1,pos:15' @ error/psd.c/ReadPSDChannelRLE/1002.
=================================================================
==31657==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4003bc1 at pc 0x8767a1a bp 0xbfe4ba18 sp 0xbfe4ba10
WRITE of size 1 at 0xb4003bc1 thread T0
    #0 0x8767a19 in PSDPackbitsEncodeImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2225
    #1 0x87648eb in WritePackbitsLength /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2289
    #2 0x876123f in WriteImageChannels /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2389
    #3 0x875dd8c in WritePSDImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2974
    #4 0x8a961f8 in WriteImage /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1091
    #5 0x8a99bdc in WriteImages /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1309
    #6 0x937607f in CLINoImageOperator /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:4714
    #7 0x937de91 in CLIOption /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:5174
    #8 0x910bef3 in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:526
    #9 0x910e375 in MagickImageCommand /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:786
    #10 0x9112859 in MagickCommandGenesis /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/mogrify.c:172
    #11 0x80de16d in MagickMain /home/user/Desktop/FuzzImageMagick/ImageMagick/utilities/magick.c:74
    #12 0x80de16d in main /home/user/Desktop/FuzzImageMagick/ImageMagick/utilities/magick.c:85
    #13 0xb74dba82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #14 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0xb4003bc1 is located 0 bytes to the right of 257-byte region [0xb4003ac0,0xb4003bc1)
allocated by thread T0 here:
    #0 0x80c6bc1 in malloc (/usr/local/bin/magick+0x80c6bc1)
    #1 0x81888e9 in AcquireMagickMemory /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/memory.c:475
    #2 0x81888e9 in AcquireQuantumMemory /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/memory.c:548
    #3 0x875dd8c in WritePSDImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2974
    #4 0x8a961f8 in WriteImage /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1091
    #5 0x8a99bdc in WriteImages /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:1309
    #6 0x937607f in CLINoImageOperator /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:4714
    #7 0x937de91 in CLIOption /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:5174
    #8 0x910bef3 in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:526

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/psd.c:2225 PSDPackbitsEncodeImage
Shadow bytes around the buggy address:
  0x36800720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800750: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36800760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36800770: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x36800780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36800790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368007a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
  0x368007b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x368007c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==31657==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Moshe Kaplan (mk-moshe-kaplan) wrote :
summary: - out-of-bounds write in
- fuzz_results_2016_02_12/fuzzer01/crashes/id:000043,sig:06,src:000224,op:flip1,pos:15'
- @ error/psd.c/ReadPSDChannelRLE/1002.
+ out-of-bounds write in coders/psd.c:2225
Steve Beattie (sbeattie) wrote :
Changed in imagemagick (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.