imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862)

Posted on October 20, 2016 by ago

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

Another round of fuzzing pointed out that the memory allocation failure I discovered is still reproducible in the 7.0.3.4 version.
As usual, the upstream security policy are enabled.

The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):

# identify $FILE
   #9 0x7f467fd11c67 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:460:10
    #10 0x7f467fd11c67 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:533
    #11 0x7f4673379018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/coders/rle.c:267:36
    #12 0x7f467faeca85 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:496:13
    #13 0x7f467fff4def in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/stream.c:1012:9
    #14 0x7f467faeb69d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:226:9
    #15 0x7f467faebeae in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:326:10
    #16 0x7f467f40f4da in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/identify.c:319:18
    #17 0x7f467f48a844 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/mogrify.c:183:14
    #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:145:10
    #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:176
    #20 0x7f467e35d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Affected version:
7.0.3.4

Fixed version:
7.0.3.8

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/ab2c9d6a8dd6d71b161ec9cc57a588b116b52322

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8866

Timeline:
2016-10-13: bug re-discovered
2016-10-13: bug re-reported to upstream
2016-10-20: blog post about the issue
2016-10-21: CVE assigned
2016-11-21: upstream released a patch
2016-11-25: upstream released 7.0.3.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.