oss-sec mailing list archives

GraphicsMagick CVE Request - WPG Reader Issues

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Fri, 7 Oct 2016 08:35:33 -0500 (CDT)

Two security issues have been discovered in the WPG format reader in
GraphicsMagick 1.3.25 (and earlier):

1. In a build with QuantumDepth=8 (the default), there is no check
   that the provided colormap is not larger than 256 entries,
   resulting in potential heap overflow.  This problem does not occur
   with larger QuantumDepth values.

2. The assertion:

   ReferenceBlob: Assertion `blob != (BlobInfo *) NULL' failed.

   is thrown (causing a crash) for some files due to a logic error
   which leads to passing a NULL pointer where a NULL pointer is not
   allowed.

These issues were discovered using American Fuzzy Lop by fuzzing with
the corpus by Moshe Kaplan discovered on Github at
https://github.com/moshekaplan/FuzzGraphicsMagick.

A patch resolving the two above issues is attached.

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Attachment: wpg.c.patch
Description:

Current thread:

GraphicsMagick CVE Request - WPG Reader Issues Bob Friesenhahn (Oct 07)
- Re: GraphicsMagick CVE Request - WPG Reader Issues cve-assign (Oct 08)