heap-buffer-overflow in EncodeImage at coders/pict.c:1114
Swiss army knife of image processing
Brought to you by:
bfriesen
Menu
▾
▴
1 Attachments
#620 heap-buffer-overflow in EncodeImage at coders/pict.c:1114
Hi, I found a heap-buffer-overflow in EncodeImage at coders/pict.c:1114
I tested it in GraphicsMagick 1.4
how to reproduce :
gm convert $PoC tmp.pict
ASAN LOG
==31646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009300 at pc 0x000000d225a5 bp 0x7fff346c89b0 sp 0x7fff346c89a8 [0/220]
WRITE of size 1 at 0x629000009300 thread T0
#0 0xd225a4 in EncodeImage /home/suhwan/project/graphicsmagick-code/coders/pict.c:1114:15
#1 0xd1dbb7 in WritePICTImage /home/suhwan/project/graphicsmagick-code/coders/pict.c:2369:14
#2 0x60d36a in WriteImage /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2246:14
#3 0x60e22c in WriteImages /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2405:21
#4 0x554ff6 in ConvertImageCommand /home/suhwan/project/graphicsmagick-code/magick/command.c:6135:11
#5 0x589285 in MagickCommand /home/suhwan/project/graphicsmagick-code/magick/command.c:8880:17
#6 0x5b6bc6 in GMCommandSingle /home/suhwan/project/graphicsmagick-code/magick/command.c:17412:10
#7 0x5b5431 in GMCommand /home/suhwan/project/graphicsmagick-code/magick/command.c:17465:16
#8 0x7ff4bf158b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#9 0x4241b9 in _start (/home/suhwan/project/fuzz-input-validate/test/gm+0x4241b9)
0x629000009300 is located 0 bytes to the right of 16640-byte region [0x629000005200,0x629000009300)
allocated by thread T0 here:
#0 0x4cc003 in __interceptor_malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0xd1c263 in WritePICTImage /home/suhwan/project/graphicsmagick-code/coders/pict.c:2137:19
#2 0x60d36a in WriteImage /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2246:14
#3 0x60e22c in WriteImages /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2405:21
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/suhwan/project/graphicsmagick-code/coders/pict.c:1114:15 in EncodeImage
Shadow bytes around the buggy address:
0x0c527fff9210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff9260:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==31646==ABORTING
GraphicsMagick 1.4 snapshot-20200104 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2020 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG yes
JPEG-2000 no
JPEG yes
Little CMS yes
Loadable Modules no
Solaris mtmalloc no
OpenMP yes (201107 "3.1")
PNG yes
TIFF yes
TRIO no
Solaris umem no
WebP no
WMF no
X11 yes
XML yes
ZLIB yes
Host type: x86_64-pc-linux-gnu
This problem is elminated by Mercurial changeset 16202:8273307fa414. Thanks for the report!