Menu

#452 Heap buffer overflow in uil.c

v1.0_(example)
closed-fixed
Bob Friesenhahn
None
5
2017-09-10
2017-09-06
lifuhao
No

GraphicsMagick version :GraphicsMagick 1.4 snapshot-20170826 Q8

A heap buffer overflow vulnerability was found in function WriteUILImage in source-gra/coders/uil.c ,which allow attackers to cause a denial of service or remote code execution via a crafted file.

gm convert 5-gm2uil out.uil

AddressSanitizer: heap-buffer-overflow on address 0x602000000151 at pc 0x000000a33d88 bp 0x7ffe57937f10 sp 0x7ffe57937f08
READ of size 1 at 0x602000000151 thread T0
    #0 0xa33d87 in WriteUILImage /home/share/graphicsmagick/source-gra/coders/uil.c:246:19
    #1 0x5d931e in WriteImage /home/share/graphicsmagick/source-gra/magick/constitute.c:2228:14
    #2 0x5d9bea in WriteImages /home/share/graphicsmagick/source-gra/magick/constitute.c:2371:21
    #3 0x552209 in ConvertImageCommand /home/share/graphicsmagick/source-gra/magick/command.c:6087:11
    #4 0x578076 in MagickCommand /home/share/graphicsmagick/source-gra/magick/command.c:8869:17
    #5 0x5a7d11 in GMCommandSingle /home/share/graphicsmagick/source-gra/magick/command.c:17396:10
    #6 0x5a6972 in GMCommand /home/share/graphicsmagick/source-gra/magick/command.c:17449:16
    #7 0x7fb379f1d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x420018 in _start (/home/share/pocs/gm+0x420018)

0x602000000151 is located 0 bytes to the right of 1-byte region [0x602000000150,0x602000000151)
allocated by thread T0 here:
    #0 0x4e1098 in malloc /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:87
    #1 0x65a168 in MagickMalloc /home/share/graphicsmagick/source-gra/magick/memory.c:156:10
    #2 0x5d931e in WriteImage /home/share/graphicsmagick/source-gra/magick/constitute.c:2228:14
    #3 0x5d9bea in WriteImages /home/share/graphicsmagick/source-gra/magick/constitute.c:2371:21

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/share/graphicsmagick/source-gra/coders/uil.c:246:19 in WriteUILImage

Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks

1 Attachments
5-gm2uil

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-09-10
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-09-10

    This problem is already fixed by Mercurial Changeset 15162:7ccf29bc782e. The problem was first reported to us via email from 'LCatro' on 18 Jul 2017.

     

Log in to post a comment.

MongoDB Logo MongoDB