imagemagick: undefined behavior in coders/rle.c

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzz with the upstream security policy enabled, a quantum of 32 and the undefined behavior sanitizer discovered this bug.

# identify $FILE
coders/rle.c:274:18: runtime error: value 1.72801e+09 is outside the range of representable values of type 'unsigned char'                                                                     

Affected version:
7.0.5.4

Fixed version:
7.0.5.5 (not released atm)

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b218117cad34d39b9ffb587b45c71c5a49b12bde

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7606

Reproducer:
https://github.com/asarubbo/poc/blob/master/00253-imagemagick-outside-unsigned-char

Timeline:
2017-03-31: bug discovered and reported to upstream
2017-03-31: upstream released a patch
2017-04-02: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: undefined behavior in coders/rle.c

This entry was posted in advisories, security. Bookmark the permalink.

One Response to imagemagick: undefined behavior in coders/rle.c

  1. QuQiang says:

    hello:
    I try to reproduce this bug, but i can not get your result.
    My IM output as follow:
    —————————————-
    [root@localhost ImageMagick-7.0.5-4]# ./utilities/magick identify ~/fuzz/ImageMagick-7.0.5-4/dataset/00253-imagemagick-outsinde-unsigned-char
    identify: UnableToOpenConfigureFile `magic.xml’ @ warning/configure.c/GetConfigureOptions/715.
    identify: MemoryAllocationFailed `/root/test/ImageMagick-7.0.5-4/dataset/00253-imagemagick-outsinde-unsigned-char’ @ error/rle.c/ReadRLEImage/323.
    ———————————-
    I review the source code as follow.
    When i use your Reproducer from github, IM will faile as AcquireQuantumMemory(…) return zero. IM can not reach the bug point.
    Could you please help me to reproduce the bug?
    ———————————-
    colormap=(unsigned char *) AcquireQuantumMemory(number_colormaps,
    3*map_length*sizeof(*colormap));
    if (colormap == (unsigned char *) NULL)
    ThrowReaderException(ResourceLimitError,”MemoryAllocationFailed”);
    p=colormap;
    for (i=0; i < (ssize_t) number_colormaps; i++)
    for (x=0; x < (ssize_t) map_length; x++)
    *p++=(unsigned char) ScaleShortToQuantum(ReadBlobLSBShort(image));
    }
    ———————————

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.