Version

GraphicsMagick 1.3.43

Environment

Ubuntu 20.04.6 LTS

Command

Compile test program with address sanitizer with this command:

$ export CXX=`which clang++`
$ export CC=`which clang`
$ export CFLAGS='-g -fsanitize=address -O1 -fno-omit-frame-pointer '
$ export CXXFLAGS='-g -fsanitize=address -O1 -fno-omit-frame-pointer '
$ ./configure --disable-shared
$ make

Result

Information obtained by using ASAN:

$ ./gm convert /home/local/issue/heap-buffer-overflow-GraphicsMagick-1 out.tif
=================================================================
==2952056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000008a12 at pc 0x00000087c7d5 bp 0x7fffffff9960 sp 0x7fffffff9958
READ of size 1 at 0x621000008a12 thread T0
    #0 0x87c7d4 in LD_UINT32_HI /home/local/asan/GraphicsMagick-1.3.43/coders/tiff.c:4435:94
    #1 0x87c1b2 in AddIFDExifFields /home/local/asan/GraphicsMagick-1.3.43/coders/tiff.c:4528:15
    #2 0x87bc52 in AddExifFields /home/local/asan/GraphicsMagick-1.3.43/coders/tiff.c:4784:10
    #3 0x873e90 in WriteTIFFImage /home/local/asan/GraphicsMagick-1.3.43/coders/tiff.c:6214:13
    #4 0x55ee71 in WriteImage /home/local/asan/GraphicsMagick-1.3.43/magick/constitute.c:2324:14
    #5 0x55f6eb in WriteImages /home/local/asan/GraphicsMagick-1.3.43/magick/constitute.c:2483:21
    #6 0x517bde in ConvertImageCommand /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:6269:11
    #7 0x52f9ef in MagickCommand /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:9016:17
    #8 0x544842 in GMCommandSingle /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:17655:10
    #9 0x54456f in GMCommand /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:17708:16
    #10 0x4ff5d8 in main /home/local/asan/GraphicsMagick-1.3.43/utilities/gm.c:61:10
    #11 0x155554a5a082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x4250ad in _start (/home/local/asan/GraphicsMagick-1.3.43/utilities/gm+0x4250ad)

0x621000008a12 is located 0 bytes to the right of 4370-byte region [0x621000007900,0x621000008a12)
allocated by thread T0 here:
    #0 0x4ca548 in realloc /home/aflgo/instrument/llvm_tools/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x5a58cd in _MagickReallocateResourceLimitedMemory /home/local/asan/GraphicsMagick-1.3.43/magick/memory.c:818:36
    #2 0x5a5be4 in _MagickAllocateResourceLimitedMemory /home/local/asan/GraphicsMagick-1.3.43/magick/memory.c:909:10
    #3 0x5a5171 in MagickMapCopyResourceLimitedBlob /home/local/asan/GraphicsMagick-1.3.43/magick/map.c:1316:14
    #4 0x5a351f in MagickMapAllocateObject /home/local/asan/GraphicsMagick-1.3.43/magick/map.c:168:26
    #5 0x5a311f in MagickMapAddEntry /home/local/asan/GraphicsMagick-1.3.43/magick/map.c:331:14
    #6 0x5c6011 in SetImageProfile /home/local/asan/GraphicsMagick-1.3.43/magick/profile.c:1263:21
    #7 0x753910 in ReadJPEGImage /home/local/asan/GraphicsMagick-1.3.43/coders/jpeg.c:1653:14
    #8 0x55c3ba in ReadImage /home/local/asan/GraphicsMagick-1.3.43/magick/constitute.c:1682:13
    #9 0x8da4e3 in BlobToImage /home/local/asan/GraphicsMagick-1.3.43/magick/blob.c:786:13
    #10 0x6fae4c in ExtractNestedBlob /home/local/asan/GraphicsMagick-1.3.43/coders/bmp.c:578:25
    #11 0x6f173a in ReadBMPImage /home/local/asan/GraphicsMagick-1.3.43/coders/bmp.c:1209:21
    #12 0x55c3ba in ReadImage /home/local/asan/GraphicsMagick-1.3.43/magick/constitute.c:1682:13
    #13 0x510afc in ConvertImageCommand /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:4507:22
    #14 0x52f9ef in MagickCommand /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:9016:17
    #15 0x544842 in GMCommandSingle /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:17655:10
    #16 0x54456f in GMCommand /home/local/asan/GraphicsMagick-1.3.43/magick/command.c:17708:16
    #17 0x4ff5d8 in main /home/local/asan/GraphicsMagick-1.3.43/utilities/gm.c:61:10
    #18 0x155554a5a082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/local/asan/GraphicsMagick-1.3.43/coders/tiff.c:4435:94 in LD_UINT32_HI
Shadow bytes around the buggy address:
  0x0c427fff90f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff9140: 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2952056==ABORTING

Description

A stack-buffer-overflow was discovered in GraphicsMagick. The issue is being triggered in function LD_UINT32_HI() at coders/tiff.c:4435.

1 Attachments

heap-buffer-overflow-GraphicsMagick-2

Discussion

Bob Friesenhahn - 2024-05-14

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

Problem is fixed: https://sourceforge.net/p/graphicsmagick/code/commit_browser

O:\temp\39>gm convert heap-buffer-overflow-GraphicsMagick-2.bmp heap-buffer-overd:\program files\graphicsmagick-1.4-q8\gm.exe convert: Corrupt JPEG data: 48 extraneous bytes before marker 0xdb (blob-027F7FECx) [No such file or directory]. O:\temp\39>gm identify heap-buffer-overflow-GraphicsMagick-2.tiff heap-buffer-overflow-GraphicsMagick-2.tiff TIFF 23x26+0+0 DirectClass 8-bit 1.2Ki 0.000u 0m:0.000013s

👍
1

Last edit: Jaroslav Fojtik 2024-05-15

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- yukaizhao - 2024-05-15
  
  Wow, problem solved fast! Can I apply for a CVE for it?
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

status: open --> closed-fixed

assigned_to: Bob Friesenhahn --> Jaroslav Fojtik
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

Just do it. This fix cannot harm anything.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2024-05-15

status: closed-fixed --> open
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2024-05-15

This issue is not yet properly fixed. Many more horrors appear in valgrind output after the claimed fix is applied.
Please do not close the issue until it has been independently verified.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

I cannot verify that problem still exists.
It works for me and I observe no crash.

Anyway the fix improves situation a lot.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

Looking to your logs from walgrind this bug should be closed. When JPG reader reads EXIF only partially it is not a problem of TIFF writer. This is completelly different issue.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

You should close both 738 & 739 - this creates complete mess. All remaining problems are a same and stems from JPG reader.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jaroslav Fojtik - 2024-05-15

I see nothing in valgrind, feel free to close this.

out3.txt

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2024-05-15

I am seeing a huge number of reports from valgrind given the Mercurial updates available at this instant.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2024-05-15

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2024-05-15

This issue appears to be fixed now.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

A heap-buffer-overflow happend in coders/tiff.c

Swiss army knife of image processing

Group

Searches

Help

#738 A heap-buffer-overflow happend in coders/tiff.c