Menu

#519 Null Pointer Dereference (Write) with malformed WPG Image

v1.0_(example)
closed-fixed
None
1
2017-11-04
2017-11-04
No

Running ./gm identify -verbose %file% with a malformed input WPG image results in an attempt to write to a Null Memory Address. The relevant stack trace can be seen here:

==26894== Invalid write of size 1
==26894==    at 0x69A596: ImportIndexQuantumType (import.c:404)
==26894==    by 0x69A596: ImportViewPixelArea (import.c:3593)
==26894==    by 0x693CF3: ImportImagePixelArea (import.c:278)
==26894==    by 0x62F631: InsertRow (wpg.c:0)
==26894==    by 0x62D923: UnpackWPGRaster (wpg.c:424)
==26894==    by 0x62D923: ReadWPGImage (wpg.c:1130)
==26894==    by 0x45B26A: ReadImage (constitute.c:1607)
==26894==    by 0x4263C8: IdentifyImageCommand (command.c:8377)
==26894==    by 0x42748F: MagickCommand (command.c:8872)
==26894==    by 0x441390: GMCommandSingle (command.c:17393)
==26894==    by 0x440708: GMCommand (command.c:17446)
==26894==    by 0x4032E5: main (gm.c:61)
==26894==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==26894==

Going through the source, it looks like the ImportIndexQuantumType function in magick/import.c is being invoked with an indexes value of NULL. This is being dereferenced in *indexes++=index, where the program is trying to store the value of index at 0x01 memory address.

The hex-dump of the input which is triggering the vulnerability is:

0000000 57ff 4350 0016 0000 1630 0001 3030 0000
0000010 3030 3030 3030 3014 3030 3030 3030 3030
0000020 3030 0030 0001 0008 3030 3030 3030 3030
0000030 3030 3030 3030 3030 3030 3030 3030 3030
0000040 3030 3030 3030 3030 fb30 3030 3030 3030
0000050 3030 3030 3030 3030 3030 3030 3030 3030
*
0000140 3030 3030 3030 3013 3030 3030 3030 3030
0000150 3030 3030 3030 3030 3030 3030 3030 3030
*
00001b0 3030 3030 3030 3030 3030 3030 3030 ff1b
00001c0 007f 3030 3030 3030 3030 3030 3030 3030
00001d0 3030 3030 3030 3030 3030 3030 3030 3030
*
00001f0 3030 3030 3030 3030 3030 3030 3030 021c
0000200 3030 3030 3030 3030 3030 3030 3030 3030
*
0000270 3030 3030 307f 3030 3030 3030 3030 3030
0000280 3030 3030 3030 3030 3030 3030 3030 3030
*
00002f0 3030 3030 2a30 3030 3030 3030 3030 3030
0000300 3030 3030 3030 3030 3030 3030 3030 3030
*
0000320 2c30 3030 3030 3030 3030 3030 3030 3030
0000330 3030 3030 3030 3030 3030 3030 3030 3030
0000340 3030 3030 3030 3030 3030 3030 3030 3014
0000350 3030 3030 3030 3030 3030 0030 3030 0004
*
0000365

Environmental Information:

  • GraphicsMagick 1.4 snapshot-20171028
  • OS: Ubuntu 17.10
  • Compiler: gcc version 7.2.0 / clang version 4.0.1-6
  • Target: x86_64-pc-linux-gnu
1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-11-04
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-11-04

    This problem is fixed by Mercurial changeset 15245:e8086faa52d0. Thank you very much for reporting it.

     

Log in to post a comment.