heap-buffer-overflow in function ReadXWDImage of coders/xwd.c
Swiss army knife of image processing
Brought to you by:
bfriesen
There is a heap buffer overflow in function ReadXWDImage of coders/xwd.c whick can be reproduced as below.
test@test-virtual-machine:~/graphicsmagick$ ./utilities/gm convert heap_buffer_overflow_ReadXWDImag /dev/null
=================================================================
==26200==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000efac at pc 0x00000087cc2a bp 0x7ffd385b16e0 sp 0x7ffd385b16d0
READ of size 2 at 0x60300000efac thread T0
#0 0x87cc29 in ReadXWDImage coders/xwd.c:528
#1 0x47766b in ReadImage magick/constitute.c:1607
#2 0x4214e9 in ConvertImageCommand magick/command.c:4362
#3 0x436a5e in MagickCommand magick/command.c:8886
#4 0x45f205 in GMCommandSingle magick/command.c:17416
#5 0x45f451 in GMCommand magick/command.c:17469
#6 0x40cbc5 in main utilities/gm.c:61
#7 0x7f8fa991c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x40cad8 in _start (/home/.test/graphicsmagick/utilities/gm+0x40cad8)
0x60300000efac is located 4 bytes to the left of 17-byte region [0x60300000efb0,0x60300000efc1)
freed by thread T0 here:
#0 0x7f8fac6a82ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x4de5ff in MagickFree magick/memory.c:530
#2 0x4b08e5 in DestroyExceptionInfo magick/error.c:432
#3 0x4d587d in InitializeLogInfo magick/log.c:348
#4 0x4d9c74 in InitializeMagick magick/magick.c:1109
#5 0x45ef98 in GMCommandSingle magick/command.c:17354
#6 0x45f451 in GMCommand magick/command.c:17469
#7 0x40cbc5 in main utilities/gm.c:61
#8 0x7f8fa991c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f8fac6a8602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4de2d4 in MagickMalloc magick/memory.c:173
#2 0x582d0e in AcquireString magick/utility.c:147
#3 0x4b202c in ThrowLoggedException magick/error.c:1045
#4 0x8a7a18 in GetConfigureBlob magick/blob.c:2154
#5 0x4d745a in ReadLogConfigureFile magick/log.c:962
#6 0x4d5871 in InitializeLogInfo magick/log.c:347
#7 0x4d9c74 in InitializeMagick magick/magick.c:1109
#8 0x45ef98 in GMCommandSingle magick/command.c:17354
#9 0x45f451 in GMCommand magick/command.c:17469
#10 0x40cbc5 in main utilities/gm.c:61
#11 0x7f8fa991c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/xwd.c:528 ReadXWDImage
Shadow bytes around the buggy address:
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9de0: fa fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
=>0x0c067fff9df0: fd fd fd fd fa[fa]fd fd fd fa fa fa fd fd fd fd
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==26200==ABORTING
System Configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial
GraphicsMagick version:
GraphicsMagick 1.4 snapshot-20190322 Q8 http://www.GraphicsMagick.org/ Copyright (C) 2002-2019 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details. Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes DPS no FlashPix no FreeType yes Ghostscript (Library) no JBIG yes JPEG-2000 yes JPEG yes Little CMS yes Loadable Modules no Solaris mtmalloc no OpenMP yes (201307) PNG yes TIFF yes TRIO no Solaris umem no WebP yes WMF yes X11 yes XML yes ZLIB yes Host type: x86_64-pc-linux-gnu Configured using the command: ./configure 'CFLAGS=-g -fsanitize=address' '--enable-shared=no' Final Build Parameters: CC = gcc CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -pthread LDFLAGS = LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread
This problem is fixed by Mercurial changeset 15950:7cff2b1792de. Thanks for the report.