global-buffer-overflow in ReadPALMImage
Swiss army knife of image processing
Brought to you by:
bfriesen
Menu
▾
▴
1 Attachments
#529 global-buffer-overflow in ReadPALMImage
/usr/local/bin/gm mogrify -version
GraphicsMagick 1.4 snapshot-20171208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2017 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG no
JPEG-2000 no
JPEG yes
Little CMS no
Loadable Modules no
OpenMP yes (201511)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP no
WMF no
X11 yes
XML yes
ZLIB yes
Host type: x86_64-unknown-linux-gnu
Configured using the command:
./configure 'CC=gcc' 'CXX=g++'
Final Build Parameters:
CC = gcc
CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS =
LIBS = -ltiff -lfreetype -ljpeg -lpng16 -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lgomp -lpthread
/usr/local/bin/gm mogrify 3RdlNUpKUwgTWSwLU6D4juiH11gePOhJ.palm
=================================================================
==10065==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000af80a0 at pc 0x0000007c49e0 bp 0x7ffc79b33990 sp 0x7ffc79b33980
READ of size 1 at 0x000000af80a0 thread T0
#0 0x7c49df in ReadPALMImage coders/palm.c:1024
#1 0x4868db in ReadImage magick/constitute.c:1607
#2 0x44c0df in TransmogrifyImage magick/command.c:11714
#3 0x44d9b2 in MogrifyImageCommand magick/command.c:12017
#4 0x43b139 in MagickCommand magick/command.c:8872
#5 0x467c07 in GMCommandSingle magick/command.c:17393
#6 0x467eee in GMCommand magick/command.c:17446
#7 0x40b916 in main utilities/gm.c:61
#8 0x7fda41ab5039 in __libc_start_main (/lib64/libc.so.6+0x21039)
#9 0x40b849 in _start (/usr/local/bin/gm+0x40b849)
0x000000af80a0 is located 0 bytes to the right of global variable 'PalmPalette8' defined in 'coders/palm.c:138:1' (0xaf7da0) of size 768
SUMMARY: AddressSanitizer: global-buffer-overflow coders/palm.c:1024 in ReadPALMImage
Shadow bytes around the buggy address:
0x000080156fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080156fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080156fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080156ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080157000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080157010: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 03 f9 f9 f9
0x000080157020: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x000080157030: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x000080157040: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080157050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080157060: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10065==ABORTING
https://github.com/henices/pocs/raw/master/3RdlNUpKUwgTWSwLU6D4juiH11gePOhJ.palm.zip
Credit: zz of NSFocus Security Team
Last edit: Allan Zhou 2017-12-19
I was not able to reproduce this in a Q16 build but it is evident in a Q8 build.
This problem is fixed by Mercurial changeset 15303:60932931559a. Thank you very much for bringing this issue to our attention.