assertion failure in WriteBlob

Swiss army knife of image processing

Brought to you by: bfriesen

#437 assertion failure in WriteBlob

Milestone: v1.0_(example)

Status: closed-works-for-me

Owner: Bob Friesenhahn

Labels: None

Priority: 5

Updated: 2018-05-04

Created: 2017-08-12

Creator: bestshow

Private: No Discussion Disabled

On GraphicsMagick 1.3.26 2017-07-04 Q8

An assertion failure vulnerability was found in function WriteBlob ,which allow attackers to cause a denial of service via a crafted file.

#./gm identify $FILE
gm: magick/blob.c:4607: size_t WriteBlob(Image *, const size_t, const void *): Assertion `data != (const char *) ((void*)0)' failed.
/home/test/Downloads/IM-GM-build/bin/gm identify: abort due to signal 6 (SIGABRT) "Abort"...
Aborted

The poc file is in the attachment.

Credit: ADLab of Venustech

1 Attachments

gm_assertion_failure_in_WriteBlob

Discussion

Bob Friesenhahn - 2017-08-12

status: open --> closed-works-for-me

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2017-08-12

This issue can no longer be reproduced with current GraphicsMagick sources.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Agostino Sarubbo - 2017-08-16

I hit this issue too, but I did not post it because it is not reproducible with the current master.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

bestshow - 2017-08-16

Agostino Sarubbo, it is reproducible when I tested this issue.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Agostino Sarubbo - 2017-08-16

you're right, my comment want to confirm that was reproducible with 1.3.26 and unreproducible now ( this not means that is fixed, but just unreachable)

Last edit: Agostino Sarubbo 2017-08-16

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Trace Probe - 2018-05-03

seems like the assertion is still reachable in changeset 15622 with other commands.

Run: ./bin/gm convert -negate -clip $POC. with the attached file

graphicsmagick-reachable-assertion-changeset-15622.jng

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2018-05-04

discussion: enabled --> disabled
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2018-05-04

This is in response to "Trace Probe"'s glomming onto this report. While I did not reproduce the assertion, I did notice an excessively large memory allocation and added extra validations. The changes are included in 15623:d97a40634bef

In the future, please open new problem reports for new problematic input files.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: