Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.
A fuzz on an updated version which includes the fix for CVE-2016-9556, revealed that the issue is still present.
The complete ASan output:
# identify $FILE ==30875==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000007cc0 at pc 0x7f897b123267 bp 0x7fff44a4ba70 sp 0x7fff44a4ba68 READ of size 4 at 0x610000007cc0 thread T0 #0 0x7f897b123266 in IsPixelGray /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/./MagickCore/pixel-accessor.h:507:30 #1 0x7f897b123266 in IdentifyImageGray /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:677 #2 0x7f897b123e2d in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:820:7 #3 0x7f897b3ca308 in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/identify.c:527:8 #4 0x7f897ab0e591 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/identify.c:336:22 #5 0x7f897ab85ee6 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/mogrify.c:183:14 #6 0x50a495 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:145:10 #7 0x50a495 in main /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:176 #8 0x7f89797c061f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #9 0x419d28 in _init (/usr/bin/magick+0x419d28) 0x610000007cc0 is located 0 bytes to the right of 128-byte region [0x610000007c40,0x610000007cc0) allocated by thread T0 here: #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130 #1 0x7f897b44a619 in AcquireAlignedMemory /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/memory.c:258:7 #2 0x7f897b15840e in AcquireCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:4636:33 #3 0x7f897b15840e in SetPixelCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:4748 #4 0x7f897b14e891 in GetVirtualPixelsFromNexus /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache.c:2629:10 #5 0x7f897b16d90e in GetCacheViewVirtualPixels /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/cache-view.c:664:10 #6 0x7f897b122878 in IdentifyImageGray /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:672:7 #7 0x7f897b123e2d in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/attribute.c:820:7 #8 0x7f897b3ca308 in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickCore/identify.c:527:8 #9 0x7f897ab0e591 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/identify.c:336:22 #10 0x7f897ab85ee6 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/MagickWand/mogrify.c:183:14 #11 0x50a495 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:145:10 #12 0x50a495 in main /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/utilities/magick.c:176 #13 0x7f89797c061f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.8/work/ImageMagick-7.0.3-8/./MagickCore/pixel-accessor.h:507:30 in IsPixelGray Shadow bytes around the buggy address: 0x0c207fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c207fff8f90: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c207fff8fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c207fff8fb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c207fff8fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff8fd0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c207fff8fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30875==ABORTING
Affected version:
7.0.3.8
Fixed version:
N/A
Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/4e8c2ed53fcb54a34b3a6185b2584f26cf6874a3
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9556
Reproducer:
https://github.com/asarubbo/poc/blob/master/00090-imagemagick-heapoverflow-IsPixelGray
Timeline:
2016-12-01: bug re-discovered and reported to upstream
2016-12-01: blog post about the issue
2016-12-02: upstream released a patch
2016-12-05: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink: