graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)

Description:
Graphicsmagick is an Image Processing System.

After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a stack-buffer-overflow.

The complete ASan output:

# gm identify $FILE
==23362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffaab3b8e0 at pc 0x000000453e36 bp 0x7fffaab3b570 sp 0x7fffaab3ad20
READ of size 769 at 0x7fffaab3b8e0 thread T0
    #0 0x453e35 in StrtolFixAndCheck /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2596
    #1 0x4545c1 in __interceptor_strtol /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:633
    #2 0x7f73e9a847df in ReadSCTImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sct.c:191:19
    #3 0x7f73f473eb13 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1607:13
    #4 0x7f73f473ca94 in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1370:9
    #5 0x7f73f4651b25 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8375:17
    #6 0x7f73f465797c in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8865:17
    #7 0x7f73f46cf6fe in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17379:10
    #8 0x7f73f46cd926 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17432:16
    #9 0x7f73f352a61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x418c88 in _init (/usr/bin/gm+0x418c88)

Address 0x7fffaab3b8e0 is located in stack of thread T0 at offset 800 in frame
    #0 0x7f73e9a8399f in ReadSCTImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sct.c:126

  This frame has 2 object(s):
    [32, 800) 'buffer'
    [928, 930) 'magick' 0x10007555f710: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x10007555f720: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 02 f3 f3 f3
  0x10007555f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007555f740: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 f2
  0x10007555f750: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007555f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23362==ABORTING

Affected version:
1.3.25

Fixed version:
1.3.26 ( not yet released)

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/0a0dfa81906d

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8682

Timeline:
2016-09-09: bug discovered
2016-09-09: bug reported privately to upstream
2016-09-10: no upstream response
2016-09-15: blog post about the issue
2016-10-16: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.