graphicsmagick: NULL pointer dereference in MagickStrlCpy (utility.c)

Description:
Graphicsmagick is an Image Processing System.

A fuzzing revealed a NULL pointer access in the TIFF parser.

The complete ASan output:

# gm identify $FILE
ASAN:DEADLYSIGNAL
=================================================================
==19028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbd36dd6c3c bp 0x7ffe3c007090 sp 0x7ffe3c006d10 T0)
    #0 0x7fbd36dd6c3b in MagickStrlCpy /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/utility.c:4567:3
    #1 0x7fbd2b714c26 in ReadTIFFImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/coders/tiff.c:2048:13
    #2 0x7fbd36ac506a in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/constitute.c:1607:13
    #3 0x7fbd36ac46ac in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/constitute.c:1370:9
    #4 0x7fbd36a165a0 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:8372:17
    #5 0x7fbd36a1affb in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:8862:17
    #6 0x7fbd36a6fee3 in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:17370:10
    #7 0x7fbd36a6eb78 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/command.c:17423:16
    #8 0x7fbd3597761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x4188d8 in _init (/usr/bin/gm+0x4188d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/graphicsmagick-1.3.24/work/GraphicsMagick-1.3.24/magick/utility.c:4567:3 in MagickStrlCpy
==19028==ABORTING

Affected version:
1.3.24 (and maybe past)

Fixed version:
1.3.25

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/eb58028dacf5

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-7449

Timeline:
2016-08-17: bug discovered
2016-08-18: bug reported privately to upstream
2016-08-19: upstream released a patch
2016-09-05: upstream released 1.3.25
2016-09-07: blog post about the issue
2016-09-18: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

graphicsmagick: NULL pointer dereference in MagickStrlCpy (utility.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *