out-of-bounds write in MagickCore/memory.c:723:10

Bug #1556273 reported by Moshe Kaplan on 2016-03-11
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit 712467450377a5c8642d6f4aead1f11d803c78a9

Command: magick id:000206,sig:06,src:005821,op:havoc,rep:4 /dev/null

=================================================================
==7820==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb531ca5f at pc 0x818c063 bp 0xbfcfbfa8 sp 0xbfcfbfa0
WRITE of size 65700 at 0xb531ca5f thread T0
    #0 0x818c062 in CopyMagickMemory /home/user/Desktop/ImageMagick/MagickCore/memory.c:723:10
    #1 0x87597e6 in RemoveICCProfileFromResourceBlock /home/user/Desktop/ImageMagick/coders/psd.c:2569
    #2 0x87597e6 in WritePSDImage /home/user/Desktop/ImageMagick/coders/psd.c:2779
    #3 0x8a8bd28 in WriteImage /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1091
    #4 0x8a8f70c in WriteImages /home/user/Desktop/ImageMagick/MagickCore/constitute.c:1309
    #5 0x937560f in CLINoImageOperator /home/user/Desktop/ImageMagick/MagickWand/operation.c:4730
    #6 0x937d421 in CLIOption /home/user/Desktop/ImageMagick/MagickWand/operation.c:5190
    #7 0x9108443 in ProcessCommandOptions /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:526
    #8 0x910a8c5 in MagickImageCommand /home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:786
    #9 0x910eda9 in MagickCommandGenesis /home/user/Desktop/ImageMagick/MagickWand/mogrify.c:172
    #10 0x80ddeed in MagickMain /home/user/Desktop/ImageMagick/utilities/magick.c:74
    #11 0x80ddeed in main /home/user/Desktop/ImageMagick/utilities/magick.c:85
    #12 0xb7495a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #13 0x80ddd14 in _start (/usr/local/bin/magick+0x80ddd14)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/ImageMagick/MagickCore/memory.c:723 CopyMagickMemory
Shadow bytes around the buggy address:
  0x36a638f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a63940: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x36a63950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a63990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==7820==ABORTING

Moshe Kaplan (mk-moshe-kaplan) wrote :

input file to trigger crash

Steve Beattie (sbeattie) wrote :
Changed in imagemagick (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.9.6.6+dfsg-1ubuntu3

---------------
imagemagick (8:6.9.6.6+dfsg-1ubuntu3) zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per https://github.com/ImageMagick/ImageMagick/issues/316. Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.