ubuntu@ubuntu:~/fuzz_py$ gm -version
GraphicsMagick 1.4 snapshot-20171122 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2017 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP no
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG no
JPEG-2000 no
JPEG no
Little CMS no
Loadable Modules no
OpenMP yes (201107)
PNG yes
TIFF no
TRIO no
UMEM no
WebP no
WMF no
X11 yes
XML no
ZLIB yes
Host type: x86_64-unknown-linux-gnu
Configured using the command:
./configure '--with-magick=wand/GraphicsMagickWand-config' '--enable-shared'
Final Build Parameters:
CC = gcc -std=gnu99
CFLAGS = -fopenmp -g -O2 -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS = -L/usr/lib/x86_64-linux-gnu
LIBS = -lfreetype -lpng12 -lXext -lX11 -lz -lm -lgomp -lpthread
ubuntu@ubuntu:~/fuzz_py$ gm montage poc.gray /dev/null
=================================================================
==81552==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000008b78 at pc 0x7fa2ff82d14c bp 0x7ffd546836b0 sp 0x7ffd546836a8
READ of size 1 at 0x60c000008b78 thread T0
#0 0x7fa2ff82d14b in ImportGrayQuantumType /home/ubuntu/GraphicsMagick/magick/import.c:735:25
#1 0x7fa2ff82d14b in ImportViewPixelArea /home/ubuntu/GraphicsMagick/magick/import.c:3633
#2 0x7fa2ffaa62c5 in ReadGRAYImage /home/ubuntu/GraphicsMagick/coders/gray.c:291:14
#3 0x7fa2ff75f6f1 in ReadImage /home/ubuntu/GraphicsMagick/magick/constitute.c:1607:13
#4 0x7fa2ff7222dd in MontageImageCommand /home/ubuntu/GraphicsMagick/magick/command.c:14059:22
#5 0x7fa2ff712ddb in MagickCommand /home/ubuntu/GraphicsMagick/magick/command.c:8872:17
#6 0x7fa2ff731195 in GMCommandSingle /home/ubuntu/GraphicsMagick/magick/command.c:17393:10
#7 0x7fa2ff730285 in GMCommand /home/ubuntu/GraphicsMagick/magick/command.c:17446:16
#8 0x7fa2fd468f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#9 0x41980b in _start (/usr/local/bin/gm+0x41980b)
0x60c000008b78 is located 0 bytes to the right of 120-byte region [0x60c000008b00,0x60c000008b78)
allocated by thread T0 here:
#0 0x4b91d3 in malloc (/usr/local/bin/gm+0x4b91d3)
#1 0x7fa2ffaa5a96 in ReadGRAYImage /home/ubuntu/GraphicsMagick/coders/gray.c:229:12
#2 0x7fa2ff75f6f1 in ReadImage /home/ubuntu/GraphicsMagick/magick/constitute.c:1607:13
#3 0x7fa2ff7222dd in MontageImageCommand /home/ubuntu/GraphicsMagick/magick/command.c:14059:22
#4 0x7fa2ff712ddb in MagickCommand /home/ubuntu/GraphicsMagick/magick/command.c:8872:17
#5 0x7fa2ff731195 in GMCommandSingle /home/ubuntu/GraphicsMagick/magick/command.c:17393:10
#6 0x7fa2ff730285 in GMCommand /home/ubuntu/GraphicsMagick/magick/command.c:17446:16
#7 0x7fa2fd468f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/GraphicsMagick/magick/import.c:735:25 in ImportGrayQuantumType
Shadow bytes around the buggy address:
0x0c187fff9110: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9120: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9150: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x0c187fff9160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c187fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==81552==ABORTING
Diff:
This problem is resolved by Mercurial changeset 15284:460ef5e858ad. Thank you very much for the report.
credit: littleputa of nsfocus security team.
Could you please apply for cve, thanks.
CVE-2017-17503 credit: littleputa of nsfocus security team.