heap-buffer-overflow bug in ReadWPGImage
Swiss army knife of image processing
Brought to you by:
bfriesen
Menu
▾
▴
1 Attachments
#532 heap-buffer-overflow bug in ReadWPGImage
Hello.
I found a heap-buffer-overflow bug in graphicsmagick.
Please confirm.
Thanks.
- Summary: heap-buffer-overflow
- OS: CentOS 7 64bit
- Version: GraphicsMagick 1.4 snapshot-20171208 Q8
- Steps to reproduce:
- 1.Download the .POC files.
- 2.Compile the source code with ASan.
- 3.Execute the following command
- ./gm identify -verbose $FILE
=================================================================
==4243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000c60 at pc 0x0000004c8c7c bp 0x7ffe64d4a7f0 sp 0x7ffe64d49fa0
WRITE of size 19 at 0x61f000000c60 thread T0
#0 0x4c8c7b in __asan_memcpy /home/karas/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:453
#1 0x660516 in AcquireCacheNexus /home/karas/graphicsmagick-code/magick/pixel_cache.c:941:18
#2 0x6614c0 in AcquireCacheViewPixels /home/karas/graphicsmagick-code/magick/pixel_cache.c:995:10
#3 0x6614c0 in AcquireImagePixels /home/karas/graphicsmagick-code/magick/pixel_cache.c:1091
#4 0x6d572d in IntegralRotateImage /home/karas/graphicsmagick-code/magick/shear.c:892:29
#5 0x6d229c in RotateImage /home/karas/graphicsmagick-code/magick/shear.c:1669:18
#6 0x8da203 in ReadWPGImage /home/karas/graphicsmagick-code/coders/wpg.c:1186:39
#7 0x5aed09 in ReadImage /home/karas/graphicsmagick-code/magick/constitute.c:1607:13
#8 0x55146a in IdentifyImageCommand /home/karas/graphicsmagick-code/magick/command.c:8377:17
#9 0x554311 in MagickCommand /home/karas/graphicsmagick-code/magick/command.c:8872:17
#10 0x581621 in GMCommandSingle /home/karas/graphicsmagick-code/magick/command.c:17393:10
#11 0x580323 in GMCommand /home/karas/graphicsmagick-code/magick/command.c:17446:16
#12 0x7f701b67bc04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
#13 0x41bcab in _start (/home/karas/graphicsmagick-code/utilities/gm+0x41bcab)
0x61f000000c60 is located 0 bytes to the right of 3040-byte region [0x61f000000080,0x61f000000c60)
allocated by thread T0 here:
#0 0x4df646 in malloc /home/karas/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x62cb92 in MagickRealloc /home/karas/graphicsmagick-code/magick/memory.c:471:18
#2 0x668469 in ModifyCache /home/karas/graphicsmagick-code/magick/pixel_cache.c:2955:18
#3 0x66c405 in SetCacheNexus /home/karas/graphicsmagick-code/magick/pixel_cache.c:3891:7
#4 0x66c888 in SetCacheViewPixels /home/karas/graphicsmagick-code/magick/pixel_cache.c:3970:10
#5 0x66c888 in SetImagePixels /home/karas/graphicsmagick-code/magick/pixel_cache.c:4036
#6 0x8d9cb4 in UnpackWPGRaster /home/karas/graphicsmagick-code/coders/wpg.c:430:17
#7 0x8d9cb4 in ReadWPGImage /home/karas/graphicsmagick-code/coders/wpg.c:1150
#8 0x5aed09 in ReadImage /home/karas/graphicsmagick-code/magick/constitute.c:1607:13
#9 0x55146a in IdentifyImageCommand /home/karas/graphicsmagick-code/magick/command.c:8377:17
#10 0x554311 in MagickCommand /home/karas/graphicsmagick-code/magick/command.c:8872:17
#11 0x581621 in GMCommandSingle /home/karas/graphicsmagick-code/magick/command.c:17393:10
#12 0x580323 in GMCommand /home/karas/graphicsmagick-code/magick/command.c:17446:16
#13 0x7f701b67bc04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:453 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c3e7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff8180: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4243==ABORTING
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]
The heap buffer overflow issue is fixed by Mercurial changeset 15322:b41e2efce6d3. Memory leaks still remain after a problem with the corrupted file has been reported. Thank you very much for reporting this issue.
Hello,
thank you for the quick response.
I have a question.
1) Do you think this is a security issue?
(I want to avoid duplicate analysis.)
2) If this is a security issue, can I issue a CVE?
Thanks.
On Mon, 5 Feb 2018, Gwan Yeong Kim wrote:
Yes, this can definitely be classified as a security issue since it
results in a heap buffer overflow in the very heart of the software.
At a minimum, it can be used to crash the software. The problem is
not specific to WPG although a bug in the WPG coder lead to finding
it. The problem is related to the specific image dimensions and that
"virtual" (outside the borders of the image) pixels were requested,
which is dependent on the operation which was requested. The means of
access to the bug are limited, as demonstrated by it taking so long
for fuzzing to discover the problem.
I apologize for being so obtuse. :-)
We would appreciate it if you issue a CVE. As mentioned in the
changelog entry at the time "This problem impacts all 1.3.X releases".
However, the issue is fixed in the 1.3.28 release.
Bob
Hello,
thank you for the quick response.
I received a CVE.
Thanks.