ImageMagick 7.0.3-3 Q16 x86_64 2016-10-05 Heap Buffer Overflow
Posted: 2016-10-06T02:19:47-07:00
Code: Select all
mikko@mikko-Latitude-E6330:~/git/ImageMagick/utilities$ ./magick --version
Version: ImageMagick 7.0.3-3 Q16 x86_64 2016-10-05 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC
Delegates (built-in):
https://www.dropbox.com/s/k1il5l8tszz9c ... repro?dl=0
ASAN trace
Code: Select all
INFO: Seed: 1348329510
Loaded 1024/5175 files from /samples/
Loaded 2048/5175 files from /samples/
Loaded 4096/5175 files from /samples/
#0 READ units: 5175 exec/s: 0
=================================================================
==1062==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200004a1fa at pc 0x7f9caca011ae bp 0x7ffd7af697f0 sp 0x7ffd7af697e8
READ of size 1 at 0x60200004a1fa thread T0
#0 0x7f9caca011ad in ImportGrayQuantum (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x96c1ad)
#1 0x7f9cac9e5d37 in ImportQuantumPixels (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x950d37)
#2 0x7f9cad06e0e2 in ReadPNMImage (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0xfd90e2)
#3 0x7f9cac4a8fc7 in ReadImage (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x413fc7)
#4 0x7f9cac387e8d in BlobToImage (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x2f2e8d)
#5 0x50569e in LLVMFuzzerTestOneInput (/src/ImageMagick/ImageMagick-fuzzer+0x50569e)
#6 0x4f624c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/Fuzzer/FuzzerLoop.cpp:521:13
#7 0x4f58b4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/Fuzzer/FuzzerLoop.cpp:477:3
#8 0x4f5de1 in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, std::allocator<unsigned char> > const&) /src/Fuzzer/FuzzerInternal.h:455:39
#9 0x4f5de1 in fuzzer::Fuzzer::ShuffleAndMinimize() /src/Fuzzer/FuzzerLoop.cpp:437
#10 0x4f0a10 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/Fuzzer/FuzzerDriver.cpp:420:3
#11 0x4eef10 in main /src/Fuzzer/FuzzerMain.cpp:21:10
#12 0x7f9ca6f6382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x41aa78 in _start (/src/ImageMagick/ImageMagick-fuzzer+0x41aa78)
0x60200004a1fa is located 0 bytes to the right of 10-byte region [0x60200004a1f0,0x60200004a1fa)
allocated by thread T0 here:
#0 0x4ec2f0 in operator new[](unsigned long) (/src/ImageMagick/ImageMagick-fuzzer+0x4ec2f0)
#1 0x4f61ed in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/Fuzzer/FuzzerLoop.cpp:514:39
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/libMagickCore-7.Q16HDRI.so.0+0x96c1ad) in ImportGrayQuantum
Shadow bytes around the buggy address:
0x0c04800013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800013f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480001410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480001420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480001430: fa fa 00 fa fa fa 00 00 fa fa fd fd fa fa 00[02]
0x0c0480001440: fa fa 00 01 fa fa fd fd fa fa 00 00 fa fa fd fd
0x0c0480001450: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001460: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 01
0x0c0480001470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001480: fa fa fd fd fa fa fd fd fa fa 00 01 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1062==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x50,0x34,0xd,0x33,0x38,0x45,0x36,0x58,0xd,0x80,
P4\x0d38E6X\x0d\x80
artifact_prefix='./'; Test unit written to /dev/shm/repro-file
Base64: UDQNMzhFNlgNgA==
AMD64
Ubuntu 16.04 LTS