Menu

#435 null pointer dereference_in_SVGStartElement

v1.0_(example)
closed-fixed
None
5
2017-08-22
2017-08-12
bestshow
No

On GraphicsMagick 1.3.26 2017-07-04 Q8

A null pointer dereference vulnerability was found in function SVGStartElement ,which allow attackers to cause a denial of service via a crafted file.

#./gm identify $FILE
=================================================================
==120268==ERROR: SEGV on unknown address 0x000000000000 (pc 0x000000d88a70 bp 0x7fffcbf8f540 sp 0x7fffcbf8d580 T0)
==120268==The signal is caused by a READ memory access.
==120268==Hint: address points to the zero page.
    #0 0xd88a6f in SVGStartElement /home/haojun/Downloads/GraphicsMagick-1.3.26/coders/svg.c:1675:35
    #1 0x7f09d55ecce4 in xmlParseStartTag (/lib64/libxml2.so.2+0x42ce4)
    #2 0x7f09d55fa632  (/lib64/libxml2.so.2+0x50632)
    #3 0x7f09d55fb61d in xmlParseChunk (/lib64/libxml2.so.2+0x5161d)
    #4 0xd7cb30 in ReadSVGImage /home/haojun/Downloads/GraphicsMagick-1.3.26/coders/svg.c:2959:14
    #5 0x63f90d in ReadImage /home/haojun/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #6 0x63ed64 in PingImage /home/haojun/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #7 0x5ab160 in IdentifyImageCommand /home/haojun/Downloads/GraphicsMagick-1.3.26/magick/command.c:8379:17
    #8 0x5b0232 in MagickCommand /home/haojun/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #9 0x5f621e in GMCommandSingle /home/haojun/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #10 0x5f4aab in GMCommand /home/haojun/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #11 0x7f09d44b4b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #12 0x4247fb in _start (/home/haojun/Downloads/IM-GM-build/bin/gm+0x4247fb)

SEGV /home/haojun/Downloads/GraphicsMagick-1.3.26/coders/svg.c:1675:35 in SVGStartElement

The poc file is in the attachment.
gm_null_pointer_dereference_in_SVGStartElement
Credit: ADLab of Venustech

Discussion

  • bestshow

    bestshow - 2017-08-12

    The poc file is in the attachment.

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-16
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-16

    Fixed by Mercurial changeset 15121:54f48ab2d52a.

     
  • Henri Salo

    Henri Salo - 2017-08-22

    Please use CVE-2017-13065 for this issue.

     

Log in to post a comment.