Description:
Graphicsmagick is an Image Processing System.
After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a stack-buffer-overflow.
The complete ASan output:
# gm identify $FILE ==23362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffaab3b8e0 at pc 0x000000453e36 bp 0x7fffaab3b570 sp 0x7fffaab3ad20 READ of size 769 at 0x7fffaab3b8e0 thread T0 #0 0x453e35 in StrtolFixAndCheck /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2596 #1 0x4545c1 in __interceptor_strtol /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:633 #2 0x7f73e9a847df in ReadSCTImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sct.c:191:19 #3 0x7f73f473eb13 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1607:13 #4 0x7f73f473ca94 in PingImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1370:9 #5 0x7f73f4651b25 in IdentifyImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8375:17 #6 0x7f73f465797c in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8865:17 #7 0x7f73f46cf6fe in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17379:10 #8 0x7f73f46cd926 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17432:16 #9 0x7f73f352a61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #10 0x418c88 in _init (/usr/bin/gm+0x418c88) Address 0x7fffaab3b8e0 is located in stack of thread T0 at offset 800 in frame #0 0x7f73e9a8399f in ReadSCTImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sct.c:126 This frame has 2 object(s): [32, 800) 'buffer' [928, 930) 'magick' 0x10007555f710: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 0x10007555f720: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 02 f3 f3 f3 0x10007555f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007555f740: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 f2 0x10007555f750: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007555f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23362==ABORTING
Affected version:
1.3.25
Fixed version:
1.3.26 ( not yet released)
Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/0a0dfa81906d
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8682
Timeline:
2016-09-09: bug discovered
2016-09-09: bug reported privately to upstream
2016-09-10: no upstream response
2016-09-15: blog post about the issue
2016-10-16: CVE Assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)