Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.
A fuzz with the upstream security policy enabled, a quantum of 32 and the undefined behavior sanitizer discovered this bug.
# identify $FILE coders/rle.c:274:18: runtime error: value 1.72801e+09 is outside the range of representable values of type 'unsigned char'
Affected version:
7.0.5.4
Fixed version:
7.0.5.5 (not released atm)
Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b218117cad34d39b9ffb587b45c71c5a49b12bde
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-7606
Reproducer:
https://github.com/asarubbo/poc/blob/master/00253-imagemagick-outside-unsigned-char
Timeline:
2017-03-31: bug discovered and reported to upstream
2017-03-31: upstream released a patch
2017-04-02: blog post about the issue
2017-04-09: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
hello:
I try to reproduce this bug, but i can not get your result.
My IM output as follow:
—————————————-
[root@localhost ImageMagick-7.0.5-4]# ./utilities/magick identify ~/fuzz/ImageMagick-7.0.5-4/dataset/00253-imagemagick-outsinde-unsigned-char
identify: UnableToOpenConfigureFile `magic.xml’ @ warning/configure.c/GetConfigureOptions/715.
identify: MemoryAllocationFailed `/root/test/ImageMagick-7.0.5-4/dataset/00253-imagemagick-outsinde-unsigned-char’ @ error/rle.c/ReadRLEImage/323.
———————————-
I review the source code as follow.
When i use your Reproducer from github, IM will faile as AcquireQuantumMemory(…) return zero. IM can not reach the bug point.
Could you please help me to reproduce the bug?
———————————-
colormap=(unsigned char *) AcquireQuantumMemory(number_colormaps,
3*map_length*sizeof(*colormap));
if (colormap == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,”MemoryAllocationFailed”);
p=colormap;
for (i=0; i < (ssize_t) number_colormaps; i++)
for (x=0; x < (ssize_t) map_length; x++)
*p++=(unsigned char) ScaleShortToQuantum(ReadBlobLSBShort(image));
}
———————————