out-of-bounds read in ImageMagick/coders/mat.c:406

Bug #1545366 reported by Moshe Kaplan on 2016-02-14
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ImageMagick
Fix Released
Unknown
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit <unknown>

Command: magick id:000224,sig:06,src:004192+004496,op:splice,rep:128 /dev/null

=================================================================
==4438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb48075b4 at pc 0x8596f01 bp 0xbfa1e608 sp 0xbfa1e600
READ of size 4 at 0xb48075b4 thread T0
    #0 0x8596f00 in CalcMinMax /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/mat.c:406
    #1 0x8588988 in ReadMATImage /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/mat.c:939
    #2 0x8a60c98 in ReadImage /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:494
    #3 0x8a68b0f in ReadImages /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:844
    #4 0x92aee29 in CLINoImageOperator /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:4680
    #5 0x92b7311 in CLIOption /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:5174
    #6 0x904447d in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:474
    #7 0x90477f5 in MagickImageCommand /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:786
    #8 0x904bcd9 in MagickCommandGenesis /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/mogrify.c:172
    #9 0x80de16d in MagickMain /home/user/Desktop/FuzzImageMagick/ImageMagick/utilities/magick.c:74
    #10 0x80de16d in main /home/user/Desktop/FuzzImageMagick/ImageMagick/utilities/magick.c:85
    #11 0xb74dda82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #12 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0xb48075b6 is located 0 bytes to the right of 54-byte region [0xb4807580,0xb48075b6)
allocated by thread T0 here:
    #0 0x80c6bc1 in malloc (/usr/local/bin/magick+0x80c6bc1)
    #1 0x81888e9 in AcquireMagickMemory /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/memory.c:475
    #2 0x81888e9 in AcquireQuantumMemory /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/memory.c:548
    #3 0x8a60c98 in ReadImage /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:494
    #4 0x8a68b0f in ReadImages /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickCore/constitute.c:844
    #5 0x92aee29 in CLINoImageOperator /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:4680
    #6 0x92b7311 in CLIOption /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/operation.c:5174
    #7 0x904447d in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick/ImageMagick/MagickWand/magick-cli.c:474

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/FuzzImageMagick/ImageMagick/coders/mat.c:406 CalcMinMax
Shadow bytes around the buggy address:
  0x36900e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36900eb0: 00 00 00 00 00 00[06]fa fa fa fa fa 00 00 00 00
  0x36900ec0: 00 00 05 fa fa fa fa fa 00 00 00 00 00 00 05 fa
  0x36900ed0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x36900ee0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x36900ef0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
  0x36900f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==4438==ABORTING

CVE References

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Steve Beattie (sbeattie) wrote :
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Emily Ratliff (emilyr) wrote :

This has been assigned CVE-2016-10070

Emily Ratliff (emilyr) wrote :

and CVE-2016-10071

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
Changed in imagemagick:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.