ImageMagick 7.0.3-3 Q16 x86_64 2016-10-05 Heap Buffer Overflow

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
myliniem
Posts: 2
Joined: 2016-08-05T02:23:17-07:00
Authentication code: 1151

ImageMagick 7.0.3-3 Q16 x86_64 2016-10-05 Heap Buffer Overflow

Post by myliniem »

Code: Select all

mikko@mikko-Latitude-E6330:~/git/ImageMagick/utilities$ ./magick --version
Version: ImageMagick 7.0.3-3 Q16 x86_64 2016-10-05 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC 
Delegates (built-in): 
Repro file:
https://www.dropbox.com/s/k1il5l8tszz9c ... repro?dl=0

ASAN trace

Code: Select all

INFO: Seed: 1348329510
Loaded 1024/5175 files from /samples/
Loaded 2048/5175 files from /samples/
Loaded 4096/5175 files from /samples/
#0	READ   units: 5175 exec/s: 0
=================================================================
==1062==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200004a1fa at pc 0x7f9caca011ae bp 0x7ffd7af697f0 sp 0x7ffd7af697e8
READ of size 1 at 0x60200004a1fa thread T0
    #0 0x7f9caca011ad in ImportGrayQuantum (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x96c1ad)
    #1 0x7f9cac9e5d37 in ImportQuantumPixels (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x950d37)
    #2 0x7f9cad06e0e2 in ReadPNMImage (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0xfd90e2)
    #3 0x7f9cac4a8fc7 in ReadImage (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x413fc7)
    #4 0x7f9cac387e8d in BlobToImage (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x2f2e8d)
    #5 0x50569e in LLVMFuzzerTestOneInput (/src/ImageMagick/ImageMagick-fuzzer+0x50569e)
    #6 0x4f624c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/Fuzzer/FuzzerLoop.cpp:521:13
    #7 0x4f58b4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/Fuzzer/FuzzerLoop.cpp:477:3
    #8 0x4f5de1 in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, std::allocator<unsigned char> > const&) /src/Fuzzer/FuzzerInternal.h:455:39
    #9 0x4f5de1 in fuzzer::Fuzzer::ShuffleAndMinimize() /src/Fuzzer/FuzzerLoop.cpp:437
    #10 0x4f0a10 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/Fuzzer/FuzzerDriver.cpp:420:3
    #11 0x4eef10 in main /src/Fuzzer/FuzzerMain.cpp:21:10
    #12 0x7f9ca6f6382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41aa78 in _start (/src/ImageMagick/ImageMagick-fuzzer+0x41aa78)

0x60200004a1fa is located 0 bytes to the right of 10-byte region [0x60200004a1f0,0x60200004a1fa)
allocated by thread T0 here:
    #0 0x4ec2f0 in operator new[](unsigned long) (/src/ImageMagick/ImageMagick-fuzzer+0x4ec2f0)
    #1 0x4f61ed in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/Fuzzer/FuzzerLoop.cpp:514:39

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x96c1ad) in ImportGrayQuantum
Shadow bytes around the buggy address:
  0x0c04800013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800013f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480001410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480001420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480001430: fa fa 00 fa fa fa 00 00 fa fa fd fd fa fa 00[02]
  0x0c0480001440: fa fa 00 01 fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c0480001450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480001460: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 01
  0x0c0480001470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480001480: fa fa fd fd fa fa fd fd fa fa 00 01 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1062==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x50,0x34,0xd,0x33,0x38,0x45,0x36,0x58,0xd,0x80,
P4\x0d38E6X\x0d\x80
artifact_prefix='./'; Test unit written to /dev/shm/repro-file
Base64: UDQNMzhFNlgNgA==
System:
AMD64
Ubuntu 16.04 LTS
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: ImageMagick 7.0.3-3 Q16 x86_64 2016-10-05 Heap Buffer Overflow

Post by magick »

We're using ImageMagick 7.0.3-3 and afl-clang 3.8.0 to build it. Unfortunately we cannot reproduce the problem:
  • -> convert ImageMagick-heap-buffer-overflow-0e2-d37-1ad.repro null:
    convert: unable to read image data `ImageMagick-heap-buffer-overflow-0e2-d37-1ad.repro' @ error/pnm.c/ReadPNMImage/629.
    convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3253.
Post Reply