Menu

#582 heap-buffer-overflow in ReadBMPImage of bmp.c

v1.0_(example)
closed-fixed
None
5
2019-02-03
2018-12-10
galycannon
No

There is a heap buffer overflow in ReadBMPImage function of bmp.c whick can be reproduced as below.

test@test-virtual-machine:~/graphicsmagick$ ./utilities/gm convert ./heap-buffer-overflow-readbmpimage /dev/null
=================================================================
==22819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb12fe802 at pc 0x08309d40 bp 0xbfa916c8 sp 0xbfa916b8
READ of size 1 at 0xb12fe802 thread T0
    #0 0x8309d3f in ReadBMPImage coders/bmp.c:1312
    #1 0x80c09fb in ReadImage magick/constitute.c:1607
    #2 0x8066b4f in ConvertImageCommand magick/command.c:4362
    #3 0x807cf77 in MagickCommand magick/command.c:8886
    #4 0x80a8a0a in GMCommandSingle magick/command.c:17408
    #5 0x80a8cce in GMCommand magick/command.c:17461
    #6 0x805113a in main utilities/gm.c:61
    #7 0xb6917636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #8 0x8051040  (/home/test/graphicsmagick/graphicsmagick/utilities/gm+0x8051040)

0xb12fe802 is located 0 bytes to the right of 268435458-byte region [0xa12fe800,0xb12fe802)
allocated by thread T0 here:
    #0 0xb7256d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0x812ddf8 in MagickMalloc magick/memory.c:173
    #2 0x8308318 in ReadBMPImage coders/bmp.c:1109
    #3 0x80c09fb in ReadImage magick/constitute.c:1607
    #4 0x8066b4f in ConvertImageCommand magick/command.c:4362
    #5 0x807cf77 in MagickCommand magick/command.c:8886
    #6 0x80a8a0a in GMCommandSingle magick/command.c:17408
    #7 0x80a8cce in GMCommand magick/command.c:17461
    #8 0x805113a in main utilities/gm.c:61
    #9 0xb6917636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/bmp.c:1312 ReadBMPImage
Shadow bytes around the buggy address:
  0x3625fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3625fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3625fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3625fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3625fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3625fd00:[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3625fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3625fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3625fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3625fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3625fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==22819==ABORTING

System Configuration

Linux test-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

GraphicsMagick version:
~~~
GraphicsMagick 1.4 snapshot-20181209 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2018 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) no
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG yes
JPEG-2000 yes
JPEG yes
Little CMS yes
Loadable Modules no
OpenMP yes (201307)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP yes
WMF yes
X11 yes
XML yes
ZLIB yes

Host type: i686-pc-linux-gnu

Configured using the command:
./configure 'CFLAGS=-g -fsanitize=address' '--enable-shared=no'

Final Build Parameters:
CC = gcc
CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS =
LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread
~~~

1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-11
    • assigned_to: Bob Friesenhahn
    • private: No --> Yes
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-11

    I assume that i686 in the system description means that this is a 32-bit Linux OS?

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-11

    I was able to get a working 32-bit ASAN build on my 64-bit machine and can reproduce the issue.

     
    • galycannon

      galycannon - 2018-12-11

      yes,my environment is 32-bit ubuntu 16.04 machine and I build with 32-bit ASAN

       
      • Bob Friesenhahn

        Bob Friesenhahn - 2018-12-11

        On Tue, 11 Dec 2018, galycannon wrote:

        yes,my environment is 32-bit ubuntu 16.04 machine and I build with 32-bit ASAN

        I did notice that it was necessary to enlarge the image pixel
        limits beyond the default before the problem is encountered. This
        means that most users are defended from this issue.

        There are likely many more similar issues to be discovered in the
        32-bit build.

         
  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-12

    This issue is fixed by changeset 15864:648e3977a293

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-13
    • status: open --> closed-fixed
    • private: Yes --> No
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2019-01-06
    • status: closed-fixed --> open
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2019-01-06

    Problem (now identified as CVE-2018-20185) is claimed to still exist after my fix. See
    https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2019-02-03
    • status: open --> closed-fixed
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2019-02-03

    I believe that this issue is finally properly addressed by changeset 15880:c38fc0e3e465. The DIB module was also similarly improved, although the DIB reader already did use pretty good overflow checks.

     

Log in to post a comment.