Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in /MagickCore/quantum-private.h #1857

Closed
3 tasks done
p1ay8y3ar opened this issue Mar 2, 2020 · 4 comments
Closed
3 tasks done

heap-buffer-overflow in /MagickCore/quantum-private.h #1857

p1ay8y3ar opened this issue Mar 2, 2020 · 4 comments

Comments

@p1ay8y3ar
Copy link

p1ay8y3ar commented Mar 2, 2020
edited

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There is a vlun heap overflow found in " /MagickCore/quantum-private.h:236:11 in PushCharPixel"

Steps to Reproduce

crashed file

./magic convert xxx.tiff xxx.png

ASAN's full log can be found in here

port of ASAN's log

==74648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f62ea369962 at pc 0x000001389ad0 bp 0x7ffc161d7be0 sp 0x7ffc161d7bd8
READ of size 1 at 0x7f62ea369962 thread T0
    #0 0x1389acf in PushCharPixel /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/./MagickCore/quantum-private.h:236:11
    #1 0x1389acf in ImportRGBQuantum /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickCore/quantum-import.c:3797:11
    #2 0x1389acf in ImportQuantumPixels /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickCore/quantum-import.c:4776:7
    #3 0xd1eb2d in ReadTIFFImage /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/coders/tiff.c:1970:20
    #4 0xe84e2d in ReadImage /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickCore/constitute.c:553:15
    #5 0xe89948 in ReadImages /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickCore/constitute.c:941:9
    #6 0x1731cb8 in ConvertImageCommand /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickWand/convert.c:606:18
    #7 0x1897ac3 in MagickCommandGenesis /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickWand/mogrify.c:186:14
    #8 0x4cf918 in MagickMain /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/utilities/magick.c:149:10
    #9 0x4cf918 in main /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/utilities/magick.c:180:10
    #10 0x7f62f00671e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
    #11 0x4279ed in _start (/home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/utilities/magick+0x4279ed)

0x7f62ea369962 is located 0 bytes to the right of 225634-byte region [0x7f62ea332800,0x7f62ea369962)
allocated by thread T0 here:
    #0 0x49f8ed in malloc (/home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/utilities/magick+0x49f8ed)
    #1 0xd1e7ac in ReadTIFFImage /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/coders/tiff.c:1922:40
    #2 0xe84e2d in ReadImage /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickCore/constitute.c:553:15
    #3 0xe89948 in ReadImages /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickCore/constitute.c:941:9
    #4 0x1731cb8 in ConvertImageCommand /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickWand/convert.c:606:18
    #5 0x1897ac3 in MagickCommandGenesis /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/MagickWand/mogrify.c:186:14
    #6 0x4cf918 in MagickMain /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/utilities/magick.c:149:10
    #7 0x4cf918 in main /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/utilities/magick.c:180:10
    #8 0x7f62f00671e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/freedom/Desktop/fuzz_sourcecode/imageMagick/test/ImageMagick-7.0.9-27/./MagickCore/quantum-private.h:236:11 in PushCharPixel

System Configuration

  • ImageMagick version:
Version: ImageMagick 7.0.9-27 Q16 x86_64 2020-03-01 https://imagemagick.org
Copyright: © 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(3.1) 
Delegates (built-in): fontconfig freetype heic jbig jng jp2 jpeg lzma png tiff webp x xml zlib
  • Environment (Operating system, version and so on):
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=19.10
DISTRIB_CODENAME=eoan
DISTRIB_DESCRIPTION="Ubuntu 19.10
  • Additional information:
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 2, 2020
https://github.com/ImageMagick/ImageMagick/issues/1857
b466a96
urban-warrior pushed a commit that referenced this issue Mar 2, 2020
https://github.com/ImageMagick/ImageMagick/issues/1857
54cdc14
@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 2, 2020
https://github.com/ImageMagick/ImageMagick/issues/1857
7486477
urban-warrior pushed a commit that referenced this issue Mar 2, 2020
https://github.com/ImageMagick/ImageMagick/issues/1857
651672f
@p1ay8y3ar
Copy link
Author

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

Thanks for amazing work!
by the way, it's imageMagick's team assigned this a cve id or it should request by myself?

@dlemstra
Copy link
Member

dlemstra commented Mar 3, 2020

You should request one yourself.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Mar 10, 2020
ImageMagick: update to 7.0.10.0
7b3b40c 
2020-03-01  7.0.10-0 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.10-0, GIT revision 17...

2020-03-01  7.0.10-0 Cristy  <quetzlzacatenango@image...>
  * Label text no longer gets cut-off (reference
    https://imagemagick.org/discourse-server/viewtopic.php?f=1&t=37621).
  * Prevent heap overflow (reference
     ImageMagick/ImageMagick#1857).
@dlemstra dlemstra closed this as completed Jun 9, 2020
@p1ay8y3ar
Copy link
Author

CVE-2023-3745,received after 3 years lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlemstra @urban-warrior @p1ay8y3ar