Menu

#521 heap-buffer-overflow

v1.0_(example)
closed-fixed
None
9
2018-07-04
2017-12-01
littleputa
No

ubuntu@ubuntu:~/fuzz_py$ gm -version
GraphicsMagick 1.4 snapshot-20171122 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2017 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP no
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG no
JPEG-2000 no
JPEG no
Little CMS no
Loadable Modules no
OpenMP yes (201107)
PNG yes
TIFF no
TRIO no
UMEM no
WebP no
WMF no
X11 yes
XML no
ZLIB yes

Host type: x86_64-unknown-linux-gnu

Configured using the command:
./configure '--with-magick=wand/GraphicsMagickWand-config' '--enable-shared'

Final Build Parameters:
CC = gcc -std=gnu99
CFLAGS = -fopenmp -g -O2 -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS = -L/usr/lib/x86_64-linux-gnu
LIBS = -lfreetype -lpng12 -lXext -lX11 -lz -lm -lgomp -lpthread

ubuntu@ubuntu:~/fuzz_py$ gm montage poc.cmyk /dev/null

==81541==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000260 at pc 0x7fc6bb5d7381 bp 0x7ffc71aec2f0 sp 0x7ffc71aec2e8
READ of size 1 at 0x615000000260 thread T0
#0 0x7fc6bb5d7380 in ImportCMYKQuantumType /home/ubuntu/GraphicsMagick/magick/import.c:2873:17
#1 0x7fc6bb5d7380 in ImportViewPixelArea /home/ubuntu/GraphicsMagick/magick/import.c:3702
#2 0x7fc6bb7ff601 in ReadCMYKImage /home/ubuntu/GraphicsMagick/coders/cmyk.c
#3 0x7fc6bb50a6f1 in ReadImage /home/ubuntu/GraphicsMagick/magick/constitute.c:1607:13
#4 0x7fc6bb4cd2dd in MontageImageCommand /home/ubuntu/GraphicsMagick/magick/command.c:14059:22
#5 0x7fc6bb4bdddb in MagickCommand /home/ubuntu/GraphicsMagick/magick/command.c:8872:17
#6 0x7fc6bb4dc195 in GMCommandSingle /home/ubuntu/GraphicsMagick/magick/command.c:17393:10
#7 0x7fc6bb4db285 in GMCommand /home/ubuntu/GraphicsMagick/magick/command.c:17446:16
#8 0x7fc6b9213f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#9 0x41980b in _start (/usr/local/bin/gm+0x41980b)

0x615000000260 is located 0 bytes to the right of 480-byte region [0x615000000080,0x615000000260)
allocated by thread T0 here:
#0 0x4b91d3 in malloc (/usr/local/bin/gm+0x4b91d3)
#1 0x7fc6bb7fcc8d in ReadCMYKImage /home/ubuntu/GraphicsMagick/coders/cmyk.c:168:12
#2 0x7fc6bb50a6f1 in ReadImage /home/ubuntu/GraphicsMagick/magick/constitute.c:1607:13
#3 0x7fc6bb4cd2dd in MontageImageCommand /home/ubuntu/GraphicsMagick/magick/command.c:14059:22
#4 0x7fc6bb4bdddb in MagickCommand /home/ubuntu/GraphicsMagick/magick/command.c:8872:17
#5 0x7fc6bb4dc195 in GMCommandSingle /home/ubuntu/GraphicsMagick/magick/command.c:17393:10
#6 0x7fc6bb4db285 in GMCommand /home/ubuntu/GraphicsMagick/magick/command.c:17446:16
#7 0x7fc6b9213f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/GraphicsMagick/magick/import.c:2873:17 in ImportCMYKQuantumType
Shadow bytes around the buggy address:
0x0c2a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==81541==ABORTING

1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-12-03
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,4 +1,3 @@
    -
     ubuntu@ubuntu:~/fuzz_py$ gm -version
     GraphicsMagick 1.4 snapshot-20171122 Q8 http://www.GraphicsMagick.org/
     Copyright (C) 2002-2017 GraphicsMagick Group.
    
    • status: open --> closed-fixed
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-12-03

    This problem is fixed by Mercurial changeset 15283:a9c425688397. Thank you for the report!

     
  • littleputa

    littleputa - 2017-12-04

    credit: littleputa of nsfocus security team.
    Could you please apply for cve, thanks.

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-12-04

    Unfortunately the project does not have enough resources (available time) to apply for CVEs any more. I suggest that you apply for the CVEs yourself or find an interested party to do so.

     
  • littleputa

    littleputa - 2018-07-04

    CVE-2017-17502 credit: littleputa of nsfocus security team.

     

Log in to post a comment.