out-of-bounds read in MagickCore/memory.c:708

Bug #1553366 reported by Moshe Kaplan on 2016-03-04
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit 26ac8585e46188a648abf5fa3a1a7d264d8b3cb9

Command: magick id:000419,sig:06,src:001803+004110,op:splice,rep:2 /dev/null

=================================================================
==21785==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5f02440 at pc 0x80b28f6 bp 0xbfc57ed8 sp 0xbfc57abc
READ of size 128 at 0xb5f02440 thread T0
    #0 0x80b28f5 in memcpy (/usr/local/bin/magick+0x80b28f5)
    #1 0x814f571 in CopyMagickMemory /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/memory.c:708
    #2 0x857643b in WritePDBImage /home/user/Desktop/FuzzImageMagick-master/ImageMagick/coders/pdb.c:893
    #3 0x89633b8 in WriteImage /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:1091
    #4 0x8966d9c in WriteImages /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:1309
    #5 0x9230a7f in CLINoImageOperator /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:4730
    #6 0x9238891 in CLIOption /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:5190
    #7 0x8fc3893 in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/magick-cli.c:526
    #8 0x8fc5d15 in MagickImageCommand /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/magick-cli.c:786
    #9 0x8fca1f9 in MagickCommandGenesis /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/mogrify.c:172
    #10 0x80ddf3d in MagickMain /home/user/Desktop/FuzzImageMagick-master/ImageMagick/utilities/magick.c:74
    #11 0x80ddf3d in main /home/user/Desktop/FuzzImageMagick-master/ImageMagick/utilities/magick.c:85
    #12 0xb74b1a82 in __libc_start_main /build/eglibc-617sU_/eglibc-2.19/csu/libc-start.c:287
    #13 0x80ddd64 in _start (/usr/local/bin/magick+0x80ddd64)

0xb5f02440 is located 0 bytes to the right of 256-byte region [0xb5f02340,0xb5f02440)
allocated by thread T0 here:
    #0 0x80c6991 in malloc (/usr/local/bin/magick+0x80c6991)
    #1 0x814e9ea in AcquireMagickMemory /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/memory.c:476
    #2 0x814e9ea in AcquireQuantumMemory /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/memory.c:549
    #3 0x89633b8 in WriteImage /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:1091
    #4 0x8966d9c in WriteImages /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:1309
    #5 0x9230a7f in CLINoImageOperator /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:4730
    #6 0x9238891 in CLIOption /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:5190
    #7 0x8fc3893 in ProcessCommandOptions /home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/magick-cli.c:526

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcpy
Shadow bytes around the buggy address:
  0x36be0430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be0460: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36be0470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36be0480: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x36be0490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be04a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be04b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be04c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36be04d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==21785==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Moshe Kaplan (mk-moshe-kaplan) wrote :
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.