Menu

#535 heap-buffer-overflow in ReadMNGImage

v1.0_(example)
closed-fixed
None
1
2017-12-26
2017-12-20
Allan Zhou
No

GraphicsMagick 1.4 snapshot-20171217 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2017 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG yes
JPEG-2000 yes
JPEG yes
Little CMS yes
Loadable Modules no
OpenMP yes (201511)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP yes
WMF yes
X11 yes
XML yes
ZLIB yes

Host type: x86_64-unknown-linux-gnu

Configured using the command:
./configure 'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address'

Final Build Parameters:
CC = gcc
CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS =
LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng16 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lgomp -lpthread

/usr/local/bin/gm convert heap-overflow-ReadMNGImage /dev/null

=================================================================
==27310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000031a at pc 0x0000006ba672 bp 0x7ffccafe00b0 sp 0x7ffccafe00a0
READ of size 1 at 0x60200000031a thread T0
    #0 0x6ba671 in ReadMNGImage coders/png.c:4590
    #1 0x4880dd in ReadImage magick/constitute.c:1607
    #2 0x425df8 in ConvertImageCommand magick/command.c:4348
    #3 0x43c909 in MagickCommand magick/command.c:8872
    #4 0x469409 in GMCommandSingle magick/command.c:17393
    #5 0x4696f0 in GMCommand magick/command.c:17446
    #6 0x40d0e6 in main utilities/gm.c:61
    #7 0x7f173e582039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #8 0x40d019 in _start (/usr/local/bin/gm+0x40d019)

0x60200000031a is located 0 bytes to the right of 10-byte region [0x602000000310,0x60200000031a)
allocated by thread T0 here:
    #0 0x7f1741c0c850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x4f1083 in MagickMalloc magick/memory.c:156
    #2 0x6b6fd3 in ReadMNGImage coders/png.c:4149
    #3 0x4880dd in ReadImage magick/constitute.c:1607
    #4 0x425df8 in ConvertImageCommand magick/command.c:4348
    #5 0x43c909 in MagickCommand magick/command.c:8872
    #6 0x469409 in GMCommandSingle magick/command.c:17393
    #7 0x4696f0 in GMCommand magick/command.c:17446
    #8 0x40d0e6 in main utilities/gm.c:61
    #9 0x7f173e582039 in __libc_start_main (/lib64/libc.so.6+0x21039)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/png.c:4590 in ReadMNGImage
Shadow bytes around the buggy address:
  0x0c047fff8010: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8020: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8030: fa fa 00 04 fa fa fd fd fa fa 00 04 fa fa fd fd
  0x0c047fff8040: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 02
  0x0c047fff8050: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8060: fa fa 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27310==ABORTING

testcase: https://github.com/henices/pocs/raw/master/heap-overflow-ReadMNGImage

1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-12-22
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-12-22

    This problem is fixed by Mercurial changeset 15313:1721f1b7e67a. Thank you for reporting this issue.

     
  • Allan Zhou

    Allan Zhou - 2017-12-26

    Credit: zz of NSFocus Security Team

     

Log in to post a comment.