*** This bug is a security vulnerability ***
Public security bug reported:
This bug was found while fuzzing ImageMagick with afl-fuzz
Tested on ImageMagick version Tested on git commit
8bc3ab67d818204fe5f0fe1dc29b873d37360461
Command: magick id:000002,sig:06,src:000001,op:flip1,pos:866 /dev/null
=================================================================
==12486==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3106606 at
pc 0x88a4fda bp 0xbfdb0448 sp 0xbfdb0440
WRITE of size 2 at 0xb3106606 thread T0
#0 0x88a4fd9 in InsertRow
/home/user/Desktop/ImageMagick/./MagickCore/pixel-accessor.h:766
#1 0x888ace3 in UnpackWPGRaster
/home/user/Desktop/ImageMagick/coders/wpg.c:486
#2 0x888ace3 in ReadWPGImage
/home/user/Desktop/ImageMagick/coders/wpg.c:1154
#3 0x8a940ba in ReadImage
/home/user/Desktop/ImageMagick/MagickCore/constitute.c:494
#4 0x8a9bf2f in ReadImages
/home/user/Desktop/ImageMagick/MagickCore/constitute.c:844
#5 0x93716d9 in CLINoImageOperator
/home/user/Desktop/ImageMagick/MagickWand/operation.c:4663
#6 0x9379bc1 in CLIOption
/home/user/Desktop/ImageMagick/MagickWand/operation.c:5157
#7 0x91071cd in ProcessCommandOptions
/home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:474
#8 0x910a545 in MagickImageCommand
/home/user/Desktop/ImageMagick/MagickWand/magick-cli.c:786
#9 0x910ea29 in MagickCommandGenesis
/home/user/Desktop/ImageMagick/MagickWand/mogrify.c:172
#10 0x80de12d in MagickMain
/home/user/Desktop/ImageMagick/utilities/magick.c:74
#11 0x80de12d in main /home/user/Desktop/ImageMagick/utilities/magick.c:85
#12 0xb745aa82 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#13 0x80ddf54 in _start (/usr/local/bin/magick+0x80ddf54)
0xb3106606 is located 6 bytes to the right of 25600-byte region
[0xb3100200,0xb3106600)
allocated by thread T0 here:
#0 0x80c7021 in __interceptor_posix_memalign
(/usr/local/bin/magick+0x80c7021)
#1 0x8192c0f in AcquireAlignedMemory
/home/user/Desktop/ImageMagick/MagickCore/memory.c:273
#2 0x89b1f8e in OpenPixelCache
/home/user/Desktop/ImageMagick/MagickCore/cache.c:3402
#3 0x89bee6c in GetImagePixelCache
/home/user/Desktop/ImageMagick/MagickCore/cache.c:1583
#4 0x8982d3d in QueueAuthenticPixelCacheNexus
/home/user/Desktop/ImageMagick/MagickCore/cache.c:3800
#5 0x89c08b9 in QueueAuthenticPixels
/home/user/Desktop/ImageMagick/MagickCore/cache.c:3970
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/user/Desktop/ImageMagick/./MagickCore/pixel-accessor.h:766 InsertRow
Shadow bytes around the buggy address:
0x36620c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36620c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36620c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36620ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36620cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36620cc0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36620d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==12486==ABORTING
** Affects: imagemagick (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1539050
Title:
out-of-bounds write in ./MagickCore/pixel-accessor.h:766
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1539050/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
