GraphicsMagick / Bugs / #453 Heap overflow in source-gra/coders/png.c

#453 Heap overflow in source-gra/coders/png.c

Milestone: v1.0_(example)

Status: closed-fixed

Owner: Bob Friesenhahn

Labels: None

Priority: 5

Updated: 2017-11-11

Created: 2017-09-06

Creator: lifuhao

Private: No

GraphicsMagick version :GraphicsMagick 1.4 snapshot-20170826 Q8
A heap buffer overflow vulnerability was found in function WriteOnePNGImage in source-gra/coders/png.c ,which allow attackers to cause a denial of service or remote code execution via a crafted file.
command : gm convert 6-gm2mng out.mng

AddressSanitizer: heap-buffer-overflow on address 0x6030000000e5 at pc 0x0000004496e1 bp 0x7fff895e5640 sp 0x7fff895e4df0
READ of size 28 at 0x6030000000e5 thread T0
    #0 0x4496e0 in __interceptor_memcpy.part.36 /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:738
    #1 0x7fc9acd81aff in png_write_row (/lib/x86_64-linux-gnu/libpng12.so.0+0x12aff)
    #2 0x88957d in WriteOnePNGImage /home/share/graphicsmagick/source-gra/coders/png.c:7813:23
    #3 0x86eed5 in WriteMNGImage /home/share/graphicsmagick/source-gra/coders/png.c:9691:18
    #4 0x5d931e in WriteImage /home/share/graphicsmagick/source-gra/magick/constitute.c:2228:14
    #5 0x5d9bea in WriteImages /home/share/graphicsmagick/source-gra/magick/constitute.c:2371:21
    #6 0x552209 in ConvertImageCommand /home/share/graphicsmagick/source-gra/magick/command.c:6087:11
    #7 0x578076 in MagickCommand /home/share/graphicsmagick/source-gra/magick/command.c:8869:17
    #8 0x5a7d11 in GMCommandSingle /home/share/graphicsmagick/source-gra/magick/command.c:17396:10
    #9 0x5a6972 in GMCommand /home/share/graphicsmagick/source-gra/magick/command.c:17449:16
    #10 0x7fc9ab2f582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x420018 in _start (/home/share/pocs/gm+0x420018)

0x6030000000e5 is located 0 bytes to the right of 21-byte region [0x6030000000d0,0x6030000000e5)
allocated by thread T0 here:
    #0 0x4e1098 in malloc /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:87
    #1 0x65a168 in MagickMalloc /home/share/graphicsmagick/source-gra/magick/memory.c:156:10
    #2 0x86eed5 in WriteMNGImage /home/share/graphicsmagick/source-gra/coders/png.c:9691:18
    #3 0x5d931e in WriteImage /home/share/graphicsmagick/source-gra/magick/constitute.c:2228:14
    #4 0x5d9bea in WriteImages /home/share/graphicsmagick/source-gra/magick/constitute.c:2371:21

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/share/libfuzzer/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:738 in __interceptor_memcpy.part.36

Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks

1 Attachments

6-gm2mng

Discussion

Bob Friesenhahn - 2017-10-01

assigned_to: Glenn Randers-Pehrson
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2017-11-11

status: open --> closed-fixed

assigned_to: Glenn Randers-Pehrson --> Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2017-11-11

This issue is resolved by Mercurial changeset 15257:ad6a2e30c25b. Thank you very much for the report.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heap overflow in source-gra/coders/png.c

Swiss army knife of image processing

Group

Searches

Help

#453 Heap overflow in source-gra/coders/png.c

Discussion