GraphicsMagick 1.4 snapshot-20171217 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2017 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG yes
JPEG-2000 yes
JPEG yes
Little CMS yes
Loadable Modules no
OpenMP yes (201511)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP yes
WMF yes
X11 yes
XML yes
ZLIB yes
Host type: x86_64-unknown-linux-gnu
Configured using the command:
./configure 'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address'
Final Build Parameters:
CC = gcc
CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS =
LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng16 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lgomp -lpthread
/usr/local/bin/gm identify -verbose buffer-overflow-IY8fokMWMBY3UGA4oLfz8pVguhDj2jYj.tiff
=================================================================
==17531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003d5 at pc 0x00000059fa31 bp 0x7ffdcec9b660 sp 0x7ffdcec9b650
READ of size 1 at 0x6020000003d5 thread T0
#0 0x59fa30 in LocaleNCompare magick/utility.c:3454
#1 0x8dcbac in ReadNewsProfile coders/tiff.c:710
#2 0x8e25fe in ReadTIFFImage coders/tiff.c:1906
#3 0x4880dd in ReadImage magick/constitute.c:1607
#4 0x43a77d in IdentifyImageCommand magick/command.c:8377
#5 0x43c909 in MagickCommand magick/command.c:8872
#6 0x469409 in GMCommandSingle magick/command.c:17393
#7 0x4696f0 in GMCommand magick/command.c:17446
#8 0x40d0e6 in main utilities/gm.c:61
#9 0x7fd77c475039 in __libc_start_main (/lib64/libc.so.6+0x21039)
#10 0x40d019 in _start (/usr/local/bin/gm+0x40d019)
0x6020000003d5 is located 0 bytes to the right of 5-byte region [0x6020000003d0,0x6020000003d5)
allocated by thread T0 here:
#0 0x7fd77faffc40 in realloc (/lib64/libasan.so.4+0xdec40)
#1 0x7fd77eed78ae in _TIFFCheckRealloc (/lib64/libtiff.so.5+0x88ae)
SUMMARY: AddressSanitizer: heap-buffer-overflow magick/utility.c:3454 in LocaleNCompare
Shadow bytes around the buggy address:
0x0c047fff8020: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8030: fa fa 00 04 fa fa fd fd fa fa 00 04 fa fa fd fd
0x0c047fff8040: fa fa fd fa fa fa fd fa fa fa 00 01 fa fa 00 01
0x0c047fff8050: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa fd fa
0x0c047fff8060: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c047fff8070: fa fa 00 fa fa fa fd fa fa fa[05]fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17531==ABORTING
Poc : https://github.com/henices/pocs/raw/master/buffer-overflow-IY8fokMWMBY3UGA4oLfz8pVguhDj2jYj.tiff.zip
This issue is fixed by Mercurial changeset 15308:0d871e813a4f. Thank you for reporting the problem.
Credit: zz of NSFocus Security Team