Menu

#604 heap-buffer-overflow in function WriteMATLABImage of coders/mat.c

v1.0_(example)
closed-fixed
Bob Friesenhahn
None
5
2019-04-12
2019-04-04
galycannon
No

There is a heap buffer overflow in function WriteMATLABImage of coders/mat.c whick can be reproduced as below.

test@test-virtual-machine:~/$ ./graphicsmagick-code/utilities/gm convert ./heap-buffer-overflow_WriteMATLABImage ./out.mat

=================================================================
==20100==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea71 at pc 0x0000008fcdbf bp 0x7fff1e1d38b0 sp 0x7fff1e1d38a0
WRITE of size 1 at 0x60200000ea71 thread T0
    #0 0x8fcdbe in ExportRedQuantumType magick/export.c:1372
    #1 0x91ad7c in ExportViewPixelArea magick/export.c:3222
    #2 0x8ee7aa in ExportImagePixelArea magick/export.c:278
    #3 0x70b3f1 in WriteMATLABImage coders/mat.c:1481
    #4 0x47a430 in WriteImage magick/constitute.c:2245
    #5 0x47ad98 in WriteImages magick/constitute.c:2404
    #6 0x42bf6d in ConvertImageCommand magick/command.c:6101
    #7 0x436afe in MagickCommand magick/command.c:8886
    #8 0x45f2a5 in GMCommandSingle magick/command.c:17416
    #9 0x45f4f1 in GMCommand magick/command.c:17469
    #10 0x40cc65 in main utilities/gm.c:61
    #11 0x7f6922c3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x40cb78 in _start (/home/graphicsmagick-code/utilities/gm+0x40cb78)

0x60200000ea71 is located 0 bytes to the right of 1-byte region [0x60200000ea70,0x60200000ea71)
allocated by thread T0 here:
    #0 0x7f69259c1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4de364 in MagickMalloc magick/memory.c:174
    #2 0x70ae32 in WriteMATLABImage coders/mat.c:1429
    #3 0x47a430 in WriteImage magick/constitute.c:2245
    #4 0x47ad98 in WriteImages magick/constitute.c:2404
    #5 0x42bf6d in ConvertImageCommand magick/command.c:6101
    #6 0x436afe in MagickCommand magick/command.c:8886
    #7 0x45f2a5 in GMCommandSingle magick/command.c:17416
    #8 0x45f4f1 in GMCommand magick/command.c:17469
    #9 0x40cc65 in main utilities/gm.c:61
    #10 0x7f6922c3482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow magick/export.c:1372 ExportRedQuantumType
Shadow bytes around the buggy address:
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa 00 03 fa fa[01]fa
  0x0c047fff9d50: fa fa 00 07 fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9d60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9d70: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
  0x0c047fff9d80: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9d90: fa fa fd fd fa fa 00 03 fa fa 00 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20100==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20190403 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307)
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86_64-pc-linux-gnu

Configured using the command:
  ./configure  'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak' '--enable-shared=no'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread
1 Attachments
heap-buffer-overflow_WriteMATLABImage

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2019-04-07
    • assigned_to: Bob Friesenhahn
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2019-04-12
    • status: open --> closed-fixed
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2019-04-12

    This problem is fixed by Mercurial changeset 15961:57ac0ae85e2a. Thank you for the report.

     

Log in to post a comment.