*** This bug is a security vulnerability ***
Public security bug reported:
This bug was found while fuzzing ImageMagick with afl-fuzz
Tested on ImageMagick git commit
07b9f5ed90ce1e2d723837979446713b2159f78e
Command: magick id:000323,sig:06,src:007647,op:havoc,rep:64 /dev/null
=================================================================
==5369==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2e03bf4 at
pc 0x8399d51 bp 0xbfe950b8 sp 0xbfe950b0
READ of size 1 at 0xb2e03bf4 thread T0
#0 0x8399d50 in ParseEntities
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/xml-tree.c:1394
#1 0x838b8a4 in NewXMLTree
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/xml-tree.c:2093
#2 0x824e5f0 in GetXMPProperty
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/property.c:1661
#3 0x824e5f0 in GetImageProperty
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/property.c:2149
#4 0x828cd04 in SetImageProfileInternal
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1671
#5 0x828cb1d in GetProfilesFromResourceBlock
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1574
#6 0x828cb1d in SetImageProfileInternal
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1663
#7 0x828a72c in SetImageProfile
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1678
#8 0x85a40d4 in ReadMETAImage
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/coders/meta.c:1217
#9 0x8a802aa in ReadImage
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:494
#10 0x8a8811f in ReadImages
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:844
#11 0x936a649 in CLINoImageOperator
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:4680
#12 0x9372b31 in CLIOption
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:5174
#13 0x90ffc8d in ProcessCommandOptions
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/magick-cli.c:474
#14 0x9103005 in MagickImageCommand
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/magick-cli.c:786
#15 0x91074e9 in MagickCommandGenesis
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/mogrify.c:172
#16 0x80dde9d in MagickMain
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/utilities/magick.c:74
#17 0x80dde9d in main
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/utilities/magick.c:85
#18 0xb74baa82 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#19 0x80ddcc4 in _start (/usr/local/bin/magick+0x80ddcc4)
0xb2e03bf4 is located 0 bytes to the right of 164-byte region
[0xb2e03b50,0xb2e03bf4)
allocated by thread T0 here:
#0 0x80c68f1 in malloc (/usr/local/bin/magick+0x80c68f1)
#1 0x81885f9 in AcquireMagickMemory
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/memory.c:476
#2 0x81885f9 in AcquireQuantumMemory
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/memory.c:549
#3 0x828cd04 in SetImageProfileInternal
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1671
#4 0x828cb1d in GetProfilesFromResourceBlock
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1574
#5 0x828cb1d in SetImageProfileInternal
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1663
#6 0x828a72c in SetImageProfile
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/profile.c:1678
#7 0x8a802aa in ReadImage
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:494
#8 0x8a8811f in ReadImages
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/constitute.c:844
#9 0x936a649 in CLINoImageOperator
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:4680
#10 0x9372b31 in CLIOption
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/operation.c:5174
#11 0x90ffc8d in ProcessCommandOptions
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickWand/magick-cli.c:474
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/user/Desktop/FuzzImageMagick-master/ImageMagick/MagickCore/xml-tree.c:1394
ParseEntities
Shadow bytes around the buggy address:
0x365c0720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c0730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c0740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c0750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c0760: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x365c0770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa
0x365c0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c0790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c07a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c07b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x365c07c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==5369==ABORTING
** Affects: imagemagick (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547287
Title:
out-of-bounds read in MagickCore/xml-tree.c:1394
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1547287/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
