Menu

#583 heap-buffer-overflow in WriteTGAImage of tga.c

v1.0_(example)
closed-fixed
Bob Friesenhahn
None
5
2018-12-13
2018-12-10
galycannon
No

There is a heap buffer overflow in WriteTGAImage function of tga.c whick can be reproduced as below.

test@test-virtual-machine:~/graphicsmagick$ ./utilities/gm convert heap-buffer-overflow-WriteTGAImage test.tga
=================================================================
==22891==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2500c80 at pc 0x0847ebaf bp 0xbff21aa8 sp 0xbff21a98
WRITE of size 1 at 0xb2500c80 thread T0
    #0 0x847ebae in WriteTGAImage coders/tga.c:1052
    #1 0x80c3961 in WriteImage magick/constitute.c:2245
    #2 0x80c42d7 in WriteImages magick/constitute.c:2404
    #3 0x80719a8 in ConvertImageCommand magick/command.c:6101
    #4 0x807cf77 in MagickCommand magick/command.c:8886
    #5 0x80a8a0a in GMCommandSingle magick/command.c:17408
    #6 0x80a8cce in GMCommand magick/command.c:17461
    #7 0x805113a in main utilities/gm.c:61
    #8 0xb6970636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #9 0x8051040  (/home/test/graphicsmagick/graphicsmagick/utilities/gm+0x8051040)

0xb2500c80 is located 0 bytes to the right of 48-byte region [0xb2500c50,0xb2500c80)
allocated by thread T0 here:
    #0 0xb72afd06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0x812ddf8 in MagickMalloc magick/memory.c:173
    #2 0x847e274 in WriteTGAImage coders/tga.c:1012
    #3 0x80c3961 in WriteImage magick/constitute.c:2245
    #4 0x80c42d7 in WriteImages magick/constitute.c:2404
    #5 0x80719a8 in ConvertImageCommand magick/command.c:6101
    #6 0x807cf77 in MagickCommand magick/command.c:8886
    #7 0x80a8a0a in GMCommandSingle magick/command.c:17408
    #8 0x80a8cce in GMCommand magick/command.c:17461
    #9 0x805113a in main utilities/gm.c:61
    #10 0xb6970636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/tga.c:1052 WriteTGAImage
Shadow bytes around the buggy address:
  0x364a0140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364a0150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364a0160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364a0170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364a0180: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x364a0190:[fa]fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x364a01a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x364a01b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x364a01c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x364a01d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x364a01e0: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==22891==ABORTING

System Configuration

Linux test-virtual-machine 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20181209 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2018 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) no
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG yes
JPEG-2000 yes
JPEG yes
Little CMS yes
Loadable Modules no
OpenMP yes (201307)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP yes
WMF yes
X11 yes
XML yes
ZLIB yes

Host type: i686-pc-linux-gnu

Configured using the command:
./configure 'CFLAGS=-g -fsanitize=address' '--enable-shared=no'

Final Build Parameters:
CC = gcc
CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS =
LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread
1 Attachments
buffer-overflow-WriteTGAImage

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-11
    • assigned_to: Bob Friesenhahn
    • private: No --> Yes
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-12

    I my testing, this test case gets severely hung up in X11 library code reading the (claimed to be) huge XWD file. I did not wait a long time to see what might happen.

     

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-12

    I see multiple problems to fix here. The first is that there should be code to reject the XWD file because it is too small (even though we rely on X11 to actually decode it). The second is that the TGA format only supports a maximum pixel dimensions of 64k by 64k and so the writer needs to report an error immediately.

     

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-13
    • status: open --> closed-fixed
    • private: Yes --> No
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-12-13

    This issue is fixed by changeset 15865:15d1b5fd003b. Thanks for the report.

     

Log in to post a comment.