oss-sec mailing list archives
imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)
From: Agostino Sarubbo <ago () gentoo org>
Date: Thu, 01 Dec 2016 14:39:38 +0100
If suitable for a CVE please assign one. Thanks. Description: imagemagick is a software suite to create, edit, compose, or convert bitmap images. A fuzz on an updated version which includes the fix for CVE-2016-9556, revealed that the issue is still present. The complete ASan output: # identify $FILE ==30875==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000007cc0 at pc 0x7f897b123267 bp 0x7fff44a4ba70 sp 0x7fff44a4ba68 READ of size 4 at 0x610000007cc0 thread T0 #0 0x7f897b123266 in IsPixelGray /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/./MagickCore/pixel- accessor.h:507:30 #1 0x7f897b123266 in IdentifyImageGray /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:677 #2 0x7f897b123e2d in IdentifyImageType /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:820:7 #3 0x7f897b3ca308 in IdentifyImage /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/identify.c:527:8 #4 0x7f897ab0e591 in IdentifyImageCommand /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/identify.c:336:22 #5 0x7f897ab85ee6 in MagickCommandGenesis /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/mogrify.c:183:14 #6 0x50a495 in MagickMain /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:145:10 #7 0x50a495 in main /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:176 #8 0x7f89797c061f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #9 0x419d28 in _init (/usr/bin/magick+0x419d28) 0x610000007cc0 is located 0 bytes to the right of 128-byte region [0x610000007c40,0x610000007cc0) allocated by thread T0 here: #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130 #1 0x7f897b44a619 in AcquireAlignedMemory /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/memory.c:258:7 #2 0x7f897b15840e in AcquireCacheNexusPixels /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:4636:33 #3 0x7f897b15840e in SetPixelCacheNexusPixels /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:4748 #4 0x7f897b14e891 in GetVirtualPixelsFromNexus /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:2629:10 #5 0x7f897b16d90e in GetCacheViewVirtualPixels /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache- view.c:664:10 #6 0x7f897b122878 in IdentifyImageGray /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:672:7 #7 0x7f897b123e2d in IdentifyImageType /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:820:7 #8 0x7f897b3ca308 in IdentifyImage /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/identify.c:527:8 #9 0x7f897ab0e591 in IdentifyImageCommand /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/identify.c:336:22 #10 0x7f897ab85ee6 in MagickCommandGenesis /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/mogrify.c:183:14 #11 0x50a495 in MagickMain /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:145:10 #12 0x50a495 in main /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:176 #13 0x7f89797c061f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media- gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/./MagickCore/pixel- accessor.h:507:30 in IsPixelGray Shadow bytes around the buggy address: 0x0c207fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c207fff8f90: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c207fff8fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c207fff8fb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c207fff8fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff8fd0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c207fff8fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30875==ABORTING Affected version: 7.0.3.8 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00090-imagemagick-heapoverflow-IsPixelGray Timeline: 2016-12-01: bug re-discovered and reported to upstream 2016-12-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2016/12/01/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h-incomplete-fix-for-cve-2016-9556 -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556) Agostino Sarubbo (Dec 01)