Menu
▾
▴
1 Attachments
#523 heap-buffer-overflow
ubuntu@ubuntu:~/fuzz_py$ gm montage poc.rgb /dev/null
==81560==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130000001a8 at pc 0x7fc52cbe9445 bp 0x7ffcc8b55d30 sp 0x7ffcc8b55d28
READ of size 1 at 0x6130000001a8 thread T0
#0 0x7fc52cbe9444 in ImportRGBQuantumType /home/ubuntu/GraphicsMagick/magick/import.c:2397:17
#1 0x7fc52cbe9444 in ImportViewPixelArea /home/ubuntu/GraphicsMagick/magick/import.c:3688
#2 0x7fc52cf0a21d in ReadRGBImage /home/ubuntu/GraphicsMagick/coders/rgb.c:227:18
#3 0x7fc52cb1c6f1 in ReadImage /home/ubuntu/GraphicsMagick/magick/constitute.c:1607:13
#4 0x7fc52cadf2dd in MontageImageCommand /home/ubuntu/GraphicsMagick/magick/command.c:14059:22
#5 0x7fc52cacfddb in MagickCommand /home/ubuntu/GraphicsMagick/magick/command.c:8872:17
#6 0x7fc52caee195 in GMCommandSingle /home/ubuntu/GraphicsMagick/magick/command.c:17393:10
#7 0x7fc52caed285 in GMCommand /home/ubuntu/GraphicsMagick/magick/command.c:17446:16
#8 0x7fc52a825f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#9 0x41980b in _start (/usr/local/bin/gm+0x41980b)
0x6130000001a8 is located 0 bytes to the right of 360-byte region [0x613000000040,0x6130000001a8)
allocated by thread T0 here:
#0 0x4b91d3 in malloc (/usr/local/bin/gm+0x4b91d3)
#1 0x7fc52cf07dcf in ReadRGBImage /home/ubuntu/GraphicsMagick/coders/rgb.c:167:12
#2 0x7fc52cb1c6f1 in ReadImage /home/ubuntu/GraphicsMagick/magick/constitute.c:1607:13
#3 0x7fc52cadf2dd in MontageImageCommand /home/ubuntu/GraphicsMagick/magick/command.c:14059:22
#4 0x7fc52cacfddb in MagickCommand /home/ubuntu/GraphicsMagick/magick/command.c:8872:17
#5 0x7fc52caee195 in GMCommandSingle /home/ubuntu/GraphicsMagick/magick/command.c:17393:10
#6 0x7fc52caed285 in GMCommand /home/ubuntu/GraphicsMagick/magick/command.c:17446:16
#7 0x7fc52a825f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/GraphicsMagick/magick/import.c:2397:17 in ImportRGBQuantumType
Shadow bytes around the buggy address:
0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c267fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff8030: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
0x0c267fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==81560==ABORTING
Diff:
Fixed by Mercurial changeset 15285:1366f2dd9931. Thanks for the report.
credit: littleputa of nsfocus security team.
Could you please apply for cve, thanks.
credit: littleputa of nsfocus security team.
Could you please apply for cve, thanks.
credit: littleputa of nsfocus security team.
Could you please apply for cve? thanks.
CVE-2017-17500 credit: littleputa of nsfocus security team.