GraphicsMagick / Bugs / #555 heap-buffer-overflow in AcquireCacheNexus when processing jng file

#555 heap-buffer-overflow in AcquireCacheNexus when processing jng file

Milestone: v1.0_(example)

Status: closed-fixed

Owner: Bob Friesenhahn

Labels: None

Priority: 5

Updated: 2018-04-28

Created: 2018-03-30

Creator: Trace Probe

Private: No

(This issue is similar to issue 450, 531, 532, which have been fixed in previous changesets. Actually, i doubt whether its a duplicate. If so, please ignore.)

On GraphicsMagick 1.4 snapshot-20180329, there are two heap-buffer-overflow’s in AcquireCacheNexus function (src/magick/pixel_cache.c, line 933 and 939), which could be triggered by the POC below.

To reproduce the issue, compile graphicsmagick with ASAN and run: ./gm montage $POC /dev/null

The complete stack traces are:
==11360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000374 at pc 0x000000611cb9 bp 0x7ffc2d71e650 sp 0x7ffc2d71e648
WRITE of size 4 at 0x602000000374 thread T0
0 0x611cb8 in AcquireCacheNexus /u/test/test/./graphicsmagick/master/src/magick/pixel_cache.c:933
1 0x614522 in AcquireCacheViewPixels /u/test/test/./graphicsmagick/master/src/magick/pixel_cache.c:1009
2 0x614522 in AcquireImagePixels /u/test/test/./graphicsmagick/master/src/magick/pixel_cache.c:1105
3 0x961d82 in ReadOneJNGImage /u/test/test/./graphicsmagick/master/src/coders/png.c:3654
4 0x967108 in ReadJNGImage /u/test/test/./graphicsmagick/master/src/coders/png.c:3917
5 0x4f5de5 in ReadImage /u/test/test/./graphicsmagick/master/src/magick/constitute.c:1607
6 0x4a2ab6 in MontageImageCommand /u/test/test/./graphicsmagick/master/src/magick/command.c:14059
7 0x42c62c in MagickCommand /u/test/test/./graphicsmagick/master/src/magick/command.c:8872
8 0x42cb62 in GMCommandSingle /u/test/test/./graphicsmagick/master/src/magick/command.c:17393
9 0x4b3b17 in GMCommand /u/test/test/./graphicsmagick/master/src/magick/command.c:17446
10 0x7fc4db87cc04 in __libc_start_main (/usr/lib64/libc.so.6+0x21c04)
11 0x414b31 (/home/test/test/./graphicsmagick/master/exe_asan/bin/gm+0x414b31)

=================================================================
==11597==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbca1d4b805 at pc 0x000000611d18 bp 0x7ffe65ea2c30 sp 0x7ffe65ea2c28
WRITE of size 1 at 0x7fbca1d4b805 thread T0
0 0x611d17 in AcquireCacheNexus /u/test/test/./graphicsmagick/master/src/magick/pixel_cache.c:939
1 0x614522 in AcquireCacheViewPixels /u/test/test/./graphicsmagick/master/src/magick/pixel_cache.c:1009
2 0x614522 in AcquireImagePixels /u/test/test/./graphicsmagick/master/src/magick/pixel_cache.c:1105
3 0x961d82 in ReadOneJNGImage /u/test/test/./graphicsmagick/master/src/coders/png.c:3654
4 0x967108 in ReadJNGImage /u/test/test/./graphicsmagick/master/src/coders/png.c:3917
5 0x4f5de5 in ReadImage /u/test/test/./graphicsmagick/master/src/magick/constitute.c:1607
6 0x4a2ab6 in MontageImageCommand /u/test/test/./graphicsmagick/master/src/magick/command.c:14059
7 0x42c62c in MagickCommand /u/test/test/./graphicsmagick/master/src/magick/command.c:8872
8 0x42cb62 in GMCommandSingle /u/test/test/./graphicsmagick/master/src/magick/command.c:17393
9 0x4b3b17 in GMCommand /u/test/test/./graphicsmagick/master/src/magick/command.c:17446
10 0x7fbc9d965c04 in __libc_start_main (/usr/lib64/libc.so.6+0x21c04)
11 0x414b31 (/home/test/test/./graphicsmagick/master/exe_asan/bin/gm+0x414b31)

GraphicsMagick Version Info:
GraphicsMagick 1.4 snapshot-20180329 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2018 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG no
JPEG-2000 yes
JPEG yes
Little CMS no
Loadable Modules no
OpenMP yes (201511)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP no
WMF yes
X11 yes
XML yes
ZLIB yes

Host type: x86_64-unknown-linux-gnu

Configured using the command:
/u/test/test/./graphicsmagick/master/src/configure '--prefix=/u/test/test/./graphicsmagick/master/exe_asan' 'CC=/u/test/test/afl-2.52b/afl-gcc' 'CFLAGS=-g -O0 -fsanitize=address' 'LDFLAGS=-lasan -g -O0 -fsanitize=address' 'CXX=/u/test/test/afl-2.52b/afl-g++' 'CXXFLAGS=-g -O0 -fsanitize=address'

Final Build Parameters:
CC = /u/test/test/afl-2.52b/afl-gcc
CFLAGS = -fopenmp -g -O0 -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = /u/test/test/afl-2.52b/afl-g++
CXXFLAGS = -g -O0 -fsanitize=address -pthread
LDFLAGS = -lasan -g -O0 -fsanitize=address
LIBS = -ltiff -lfreetype -ljasper -ljpeg -lpng15 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lgomp -lpthread

1 Attachments

graphicsmagick-poc.zip

Discussion

Bob Friesenhahn - 2018-04-28

status: open --> closed-fixed

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2018-04-28

This issue is fixed by Mercurial changeset 15604:8b649b561a43. Thank you for the report.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

heap-buffer-overflow in AcquireCacheNexus when processing jng file

Swiss army knife of image processing

Group

Searches

Help

#555 heap-buffer-overflow in AcquireCacheNexus when processing jng file

Discussion