Menu

#440 use-after-free in CloseBlob (blob.c) (INCOMPLETE FIX FOR CVE-2017-11403)

v1.0_(example)
closed-fixed
Glenn Randers-Pehrson
None
5
2017-08-28
2017-08-16
Agostino Sarubbo
No

Already reported via mail on 2017-08-02, reporting here for tracking purpose:

The fix for the issue described here is incomplete: https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/

Another round of fuzzing of a master version hit the issue. Reproducer in attachment.

1 Attachments
10.crashes.png

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-20
    • assigned_to: Glenn Randers-Pehrson
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-20

    This is a problem with the MNG decoder. It appears that it will always crash if an exception was thrown (similar to observed with JNG). I hope that Glenn will fix it.

    14:44:59 0:01 0.000u 18511 constitute.c/ReadImage/1601/Coder:
    Invoking "MNG" decoder (Multiple-image Network Graphics) subimage=0 subrange=0
    14:44:59 0:01 0.000u 18511 png.c/ReadMNGImage/3863/Coder:
    enter ReadMNGImage()
    14:44:59 0:01 0.000u 18511 png.c/ReadMNGImage/3961/Coder:
    Reading MNG chunk type JHDR, length: 16
    14:44:59 0:01 0.000u 18511 png.c/ReadMNGImage/4949/Coder:
    Processing JHDR chunk
    14:44:59 0:01 0.000u 18511 png.c/ReadMNGImage/5123/Coder:
    Seeking back to beginning of JHDR chunk
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3033/Coder:
    enter ReadOneJNGImage()
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3089/Coder:
    Reading JNG chunk type JHDR, length: 16
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3093/Coder:
    count=4
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3142/Coder:
    jng_width: 65517
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3145/Coder:
    jng_height: 0
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3148/Coder:
    jng_color_type: 0
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3151/Coder:
    jng_image_sample_depth: 0
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3154/Coder:
    jng_image_compression_method:128
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3157/Coder:
    jng_image_interlace_method: 0
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3160/Coder:
    jng_alpha_sample_depth: 9
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3163/Coder:
    jng_alpha_compression_method:112
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3166/Coder:
    jng_alpha_filter_method: 72
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3169/Coder:
    jng_alpha_interlace_method: 89
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3089/Coder:
    Reading JNG chunk type
    
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3093/Coder:
    count=4
    14:44:59 0:01 0.000u 18511 png.c/ReadOneJNGImage/3120/CorruptImage:
    Corrupt image (10.crashes.png)
    gm: .../GM/magick/semaphore.c:601: LockSemaphoreInfo: Assertion `semaphore_info != (SemaphoreInfo *) NULL' failed.
    gm convert: abort due to signal 6 (SIGABRT) "Abort"...

     

  • Glenn Randers-Pehrson

    Glenn Randers-Pehrson - 2017-08-23

    Confirmed that this image causes my GM to segfault.

    pngcheck says:

    studio> pngcheck -vf 10.crashes.png
File: 10.crashes.png (298 bytes)
  chunk JHDR at offset 0x0000c, length 16:  first chunk must be MHDR
:  invalid image dimensions (65517x0)
:  invalid color type
  CRC error in chunk JHDR (computed cdfcc919, expected 73ffc400)
  invalid chunk name "
                      " (0b 12 00 00)
  chunk 
         at offset 0x00028, length 336592896:  first chunk must be MHDR
:  EOF while reading data
ERRORS DETECTED in 10.crashes.png
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-28
    • status: open --> closed-fixed
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-28

    This problem appears to be resolved by Mercurial changeset 15138:98721124e51f as per my own testing.

     

Log in to post a comment.

MongoDB Logo MongoDB