graphicsmagick: use-after-free in ReadWMFImage (wmf.c)

Posted on August 5, 2017 by ago

Description:
graphicsmagick is a collection of tools and libraries for many image formats.

The complete ASan output of the issue:

# gm convert -negate -clip $FILE out
==24889==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000005c0 at pc 0x7fca38d0da52 bp 0x7ffc6119c090 sp 0x7ffc6119c088
READ of size 8 at 0x60c0000005c0 thread T0
    #0 0x7fca38d0da51 in ReadWMFImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/wmf.c:2720:5
    #1 0x7fca3e7e7e88 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #2 0x7fca3e67af18 in ConvertImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:4348:22
    #3 0x7fca3e6b70c5 in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #4 0x7fca3e76285b in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #5 0x7fca3e75f991 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #6 0x7fca3cfca680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419cd8 in _init (/usr/bin/gm+0x419cd8)

0x60c0000005c0 is located 64 bytes inside of 120-byte region [0x60c000000580,0x60c0000005f8)
freed by thread T0 here:
    #0 0x4cf4d0 in __interceptor_cfree /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:55
    #1 0x7fca38ac70cd in wmf_lite_destroy /var/tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/api.c:336

previously allocated by thread T0 here:
    #0 0x4cf688 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fca38ac72f7 in wmf_malloc /var/tmp/portage/media-libs/libwmf-0.2.8.4-r6/work/libwmf-0.2.8.4/src/api.c:482

SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/wmf.c:2720:5 in ReadWMFImage
Shadow bytes around the buggy address:
  0x0c187fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff8070: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff8090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff80a0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x0c187fff80b0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fa
  0x0c187fff80c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fff80d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff80f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24889==ABORTING

Affected version:
1.3.26

Fixed version:
N/A

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-12936

Reproducer:
https://github.com/asarubbo/poc/blob/master/00302-graphicsmagick-UAF-ReadWMFImage

Timeline:
2017-07-14: bug discovered and reported to upstream
2017-07-26: upstream released a fix
2017-08-05: blog post about the issue
2017-08-18: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

graphicsmagick: use-after-free in ReadWMFImage (wmf.c)

This entry was posted in advisories, security. Bookmark the permalink.

One Response to graphicsmagick: use-after-free in ReadWMFImage (wmf.c)

  1. Pingback: CVE-2017-12936 – 安百科技

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.