imagemagick: null pointer must never be null (tiff.c)

Posted on November 19, 2016 by ago

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzz on an updated version with the undefined behavior sanitizer enabled, revealed a null pointer which is declared to never be null.

The complete UBSan output:

# identify $FILE
coders/tiff.c:655:39: runtime error: null pointer passed as argument 2, which is declared to never be null
MagickCore/string_.h:76:23: note: nonnull attribute specified here

Affected version:
7.0.3.6

Fixed version:
7.0.3.7

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9559

Reproducer:
https://github.com/asarubbo/poc/blob/master/00049-imagemagick-pointernerverbenull

Timeline:
2016-11-09: bug discovered and reported to upstream
2016-11-09: upstream released a patch
2016-11-15: upstream released 7.0.3.7
2016-11-19: blog post about the issue
2016-11-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: null pointer must never be null (tiff.c)

Posted in advisories, security | 2 Comments

An alternative to git bisect with Gentoo and the live ebuild

Posted on November 19, 2016 by ago

Git bisect is absolutely powerful, but sometimes is more comfortable use emerge instead of compile the software outside the package manager.

That was my case with media-libs/jasper which I’m picking as example for this ‘howto’

So basically, you are running Gentoo, you can install a live ebuild (9999) and you want to find which commit id fixes an issue. Let’s see step-by-step what to do.

1) Clone the repository to obtain the commit ids and put them in a file

ago@blackgate ~ $ cd /tmp
ago@blackgate /tmp $ git clone https://github.com/mdadams/jasper.git
ago@blackgate /tmp $ cd jasper/
ago@blackgate /tmp/jasper $ git --no-pager log --format=%H > /tmp/commitlist.txt

The file should contain the git commit ids, for example:

883f85876a463019a16b6d38dd9afc022d1f07cf
de4e3953fd3ef9d539c5187b7988e8750b3d67c9
f9ccc661fd1094c8d1c3df38b51295677d268dbf

2) Use a simple script which runs emerge and the command you need to test.

#!/bin/bash
for COMMIT_ID in $( cat /tmp/commitlist.txt )
do
      echo "Testing with the commit id: "${COMMIT_ID}""
      EGIT_COMMIT="${COMMIT_ID}" emerge -q media-libs/jasper
      imginfo -f /tmp/myjpg.jpg
      echo -ne "\n\n\n"
done

With the EGIT_COMMIT variable from the git-* eclass, we can emerge the live ebuild at a specific commit id.
imginfo is in my case the command I need and then I print some blank lines to better separate the output of the commands and understand what is happening.

Now you need to wait and just check what is the output of the specified command.

SOME IMPORTANT NOTES:
– This howto looks to be valid when the project you are building is small; running this script with e.g. libreoffice will take months.
– This howto looks to be valid when you know that the problem is near to the commit master and will take few emerge cycles to found the issue.
– If you know that the problem is fixed e.g. a year ago, you can manually edit the commitlist.txt file and delete some recent ids, to have a specified and minor range of commits.

That’s all.

Posted in gentoo | 4 Comments

libdwarf: negation overflow in dwarf_leb.c

Posted on November 19, 2016 by ago

Description:
libdwarf is a library to consume and produce DWARF debug information.

A fuzz with the Undefined Behavior Sanitizer shows a negation that cannot be represented as long long.

The complete UBSan output:

# dwarfdump $FILE
dwarf_leb.c:306:19: runtime error: negation of -9223372036854775808 cannot be represented in type 'Dwarf_Signed' (aka 'long long'); cast to an unsigned type to negate this value to itself

Affected version:
20161021

Fixed version:
20161124

Commit fix:
https://sourceforge.net/p/libdwarf/code/ci/4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9/#diff-5

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9558

Reproducer:
https://github.com/asarubbo/poc/blob/master/00050-libdwarf-negate-itself

Timeline:
2016-11-11: bug discovered and reported to upstream
2016-11-11: upstream released a patch
2016-11-19: blog post about the issue
2016-11-23: CVE assigned
2016-11-24: upstream released 20161124

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libdwarf: negation overflow in dwarf_leb.c

Posted in advisories, security | 1 Comment

jasper: signed integer overflow in jas_image.c

Posted on November 19, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

The undefined behavior sanitizer shows a signed integer overflow in jas_image.c
As you can see, the commit which fixes the issue is not a fix itself for the signed integer overflow, but changed a bit how, in jasper, the things work.

The complete UBSan output:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/base/jas_image.c:162:49: runtime error: signed integer overflow: 8543608947741818625 * 15 cannot be represented in type 'long'

Affected version:
1.900.17

Fixed version:
1.900.25

Commit fix:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9557

Reproducer:
https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c

Timeline:
2016-10-29: bug discovered and reported to upstream
2016-11-12: upstream released a patch and 1.900.25
2016-11-19: blog post about the issue
2016-11-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: signed integer overflow in jas_image.c

Posted in advisories, security | Leave a comment

imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h)

Posted on November 19, 2016 by ago

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzz on an updated version revealed another overflow.

The complete ASan output:

# identify $FILE
=================================================================
==696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009700 at pc 0x7f300036c9a3 bp 0x7fff6e225970 sp 0x7fff6e225968
READ of size 4 at 0x611000009700 thread T0
    #0 0x7f300036c9a2 in IsPixelGray /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel-accessor.h:507:30
    #1 0x7f300036c9a2 in IdentifyImageGray /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:677
    #2 0x7f300036f0dd in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7
    #3 0x7f300090c1da in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8
    #4 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22
    #5 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14
    #6 0x50a339 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10
    #7 0x50a339 in main /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176
    #8 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x419d28 in _init (/usr/bin/magick+0x419d28)

0x611000009700 is located 0 bytes to the right of 192-byte region [0x611000009640,0x611000009700)
allocated by thread T0 here:
    #0 0x4d3685 in posix_memalign /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:130
    #1 0x7f3000a466b0 in AcquireAlignedMemory /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/memory.c:258:7
    #2 0x7f300043addf in AcquireCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4636:33
    #3 0x7f3000402030 in SetPixelCacheNexusPixels /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:4748:14
    #4 0x7f30003e7d2d in GetVirtualPixelsFromNexus /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache.c:2629:10
    #5 0x7f3000444e53 in GetCacheViewVirtualPixels /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/cache-view.c:664:10
    #6 0x7f300036b27c in IdentifyImageGray /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:672:7
    #7 0x7f300036f0dd in IdentifyImageType /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/attribute.c:821:7
    #8 0x7f300090c1da in IdentifyImage /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickCore/identify.c:527:8
    #9 0x7f2fff364075 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/identify.c:336:22
    #10 0x7f2fff4afeca in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/MagickWand/mogrify.c:183:14
    #11 0x50a339 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:145:10
    #12 0x50a339 in main /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/utilities/magick.c:176
    #13 0x7f2ffd99c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imagemagick-7.0.3.6/work/ImageMagick-7.0.3-6/./MagickCore/pixel-accessor.h:507:30 in IsPixelGray
Shadow bytes around the buggy address:
  0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9300: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==696==ABORTING

Affected version:
7.0.3.6

Fixed version:
7.0.3.8

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9556

Reproducer:
https://github.com/asarubbo/poc/blob/master/00051-imagemagick-heapoverflow-IsPixelGray

Timeline:
2016-11-16: bug discovered and reported to upstream
2016-11-17: upstream released a patch
2016-11-19: blog post about the issue
2016-11-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h)

Posted in advisories, security | 1 Comment

jasper: multiple Assertion failure

Posted on November 16, 2016 by ago

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

A fuzzing revealed multiple assertion failures.
Since the jasper’s maintainer releases frequently, the fuzzing was done across multiple versions. The “affected version” tag means that it was tested and discovered on that version, so previously versions may be affected too.
The latest failures are unfixed. I will update the post when upstream will work on them.

Affected version:
1.900.12
Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.12/work/jasper-1.900.12/src/libjasper/base/jas_seq.c:90: jas_matrix<= yend' failed.
Commit fix:
https://github.com/mdadams/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf
Fixed version:
1.900.13
Testcase:
https://github.com/asarubbo/poc/blob/master/00003-jasper-assert-jas_matrix_t
CVE:
CVE-2016-9387

######################################################

Affected version:
1.900.13
Output/failure:
/tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/ras/ras_dec.c:330: int ras_getcmap(jas_stream_t *, ras_hdr_t *, ras_cmap_t *): Assertion `numcolors <= 256' failed.
Commit fix:
https://github.com/mdadams/jasper/commit/411a4068f8c464e883358bf403a3e25158863823
Fixed version:
1.900.14
Testcase:
https://github.com/asarubbo/poc/blob/master/00005-jasper-assert-ras_getcmap
CVE:
CVE-2016-9388

######################################################

Affected version:
1.900.13
Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_mct.c:146: void jpc_irct(jas_matrix_t *, jas_matrix_t *, jas_matrix_t *): Assertion `((c1)->numrows_) == numrows && ((c1)->numcols_) == numcols && ((c2)->numrows_) == numrows && ((c2)->numcols_) == numcols’ failed.
Commit fix:
https://github.com/mdadams/jasper/commit/dee11ec440d7908d1daf69f40a3324b27cf213ba
Fixed version:
1.900.14
Testcase:
https://github.com/asarubbo/poc/blob/master/00006-jasper-assert-jpc_irct
CVE:
CVE-2016-9389

######################################################

Affected version:
1.900.13
Output/failure:
type = 0xff76 (UNKNOWN); len = 20;10 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_mct.c:233: void jpc_iict(jas_matrix_t *, jas_matrix_t *, jas_matrix_t *): Assertion `((c1)->numcols_) == numcols && ((c2)->numcols_) == numcols’ failed.
Commit fix:
https://github.com/mdadams/jasper/commit/dee11ec440d7908d1daf69f40a3324b27cf213ba
Fixed version:
1.900.14
Testcase:
https://github.com/asarubbo/poc/blob/master/00008-jasper-assert-jpc_iict
CVE:
CVE-2016-9389

######################################################

Affected version:
1.900.13
Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed.
Commit fix:
https://github.com/mdadams/jasper/commit/ba2b9d000660313af7b692542afbd374c5685865
Fixed version:
1.900.14
Testcase:
https://github.com/asarubbo/poc/blob/master/00007-jasper-assert-jas_matrix_t
CVE:
CVE-2016-9390

######################################################

Affected version:
1.900.13
Output/failure:
type = 0xff05 (UNKNOWN); len = 20;01 40 40 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_bs.c:197: long jpc_bitstream_getbits(jpc_bitstream_t *, int): Assertion `n >= 0 && n < 32' failed.
Commit fix:
https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b
Fixed version:
1.900.14
Testcase:
https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits
CVE:
CVE-2016-9391

######################################################

Affected version:
1.900.13
Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_dec.c:1637: void calcstepsizes(uint_fast16_t, int, uint_fast16_t *): Assertion `!((expn + (numrlvls – 1) – (numrlvls – 1 – ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))’ failed.
Commit fix:
https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
Fixed version:
1.900.17
Testcase:
https://github.com/asarubbo/poc/blob/master/00012-jasper-assert-calcstepsizes
CVE:
CVE-2016-9392

######################################################

Affected version:
1.900.13
Output/failure:
type = 0xff41 (UNKNOWN); len = 20;02 40 40 00 00 00 00 ee ff 00 00 00 00 24 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_t2cod.c:297: int jpc_pi_nextrpcl(jpc_pi_t *): Assertion `pi->prcno pirlvl->numprcs’ failed.
Commit fix:
https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
Fixed version:
1.900.17
Testcase:
https://github.com/asarubbo/poc/blob/master/00013-jasper-assert-jpc_pi_nextrpcl
CVE:
CVE-2016-9393

######################################################

Affected version:
1.900.15
Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.15/work/jasper-1.900.15/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed.
Commit fix:
https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330
Fixed version:
1.900.17
Testcase:
https://github.com/asarubbo/poc/blob/master/00016-jasper-assert-jas_matrix_t
CVE:
CVE-2016-9394

######################################################

Affected version:
1.900.22
Output/failure:
warning: trailing garbage in marker segment (9 bytes)
warning: trailing garbage in marker segment (40 bytes)
warning: ignoring unknown marker segment (0xffee)
type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 ff 00 e4 00 10 00 00 4f warning: trailing garbage in marker segment (34 bytes)
imginfo: /tmp/portage/media-libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/base/jas_seq.c:90: jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion `xstart <= xend && ystart <= yend' failed.
Commit fix:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
Fixed version:
1.900.25
Testcase:
https://github.com/asarubbo/poc/blob/master/00043-jasper-assert-jas_matrix_t
CVE:
CVE-2016-9395

######################################################

Affected version:
1.900.13
Output/failure:
/tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_t1cod.c:144: int JPC_NOMINALGAIN(int, int, int, int): Assertion `qmfbid == 0x01′ failed.
Commit fix:
N/A
Fixed version:
N/A
Testcase:
https://github.com/asarubbo/poc/blob/master/00004-jasper-assert-JPC_NOMINALGAIN
CVE:
CVE-2016-9396

######################################################

Affected version:
1.900.13
Output/failure:
type = 0xff76 (UNKNOWN); len = 20;00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 imginfo: /tmp/portage/media-libs/jasper-1.900.13/work/jasper-1.900.13/src/libjasper/jpc/jpc_dec.c:1817: void jpc_dequantize(jas_matrix_t *, jpc_fix_t): Assertion `absstepsize >= 0′ failed.
Commit fix:
N/A
Fixed version:
N/A
Testcase:
https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize
CVE:
CVE-2016-9397

######################################################

Affected version:
1.900.17
Output/failure:
imginfo: /tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_math.c:94: int jpc_floorlog2(int): Assertion `x > 0′ failed.
Commit fix:
N/A
Fixed version:
N/A
Testcase:
https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2
CVE:
CVE-2016-9398

######################################################

Affected version:
1.900.22
Output/failure:
warning: trailing garbage in marker segment (9 bytes)
warning: trailing garbage in marker segment (28 bytes)
warning: trailing garbage in marker segment (40 bytes)
warning: ignoring unknown marker segment (0xffee)
type = 0xffee (UNKNOWN); len = 23;1f 32 ff ff ff 00 10 00 3d 4d 00 01 32 40 e4 e4 00 10 00 00 4f warning: trailing garbage in marker segment (12 bytes)
imginfo: /tmp/portage/media-libs/jasper-1.900.22/work/jasper-1.900.22/src/libjasper/jpc/jpc_dec.c:1650: void calcstepsizes(uint_fast16_t, int, uint_fast16_t *): Assertion `!((expn + (numrlvls – 1) – (numrlvls – 1 – ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))’ failed.
Commit fix:
N/A
Fixed version:
N/A
Testcase:
https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes
CVE:
CVE-2016-9399

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-10-23: start to report to upstream the issues
2016-11-16: blog post about the issue
2016-11-17: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

jasper: multiple Assertion failure

Posted in advisories, security | Leave a comment

libming: listmp3: left shift in listmp3.c

Posted on November 9, 2016 by ago

Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..

A fuzzing revealed a left shift in listmp3. The bug does not reside in any shared object but if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected.

The complete UBSan output:

# listmp3 $FILE
listmp3.c:94:23: runtime error: left shift of negative value -1
listmp3.c:95:23: runtime error: left shift of negative value -1

Affected version:
0.4.7

Fixed version:
0.4.8

Commit fix:
https://github.com/libming/libming/commit/2e5a98a0dbbd9714294007c601e584aa201494ed

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9266

Reproducer:
https://github.com/asarubbo/poc/blob/master/00046-libming-leftshift-listmp3_c

Timeline:
2016-08-13: bug discovered
2016-10-20: bug reported to upstream
2016-11-09: blog post about the issue
2016-11-10: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libming: listmp3: left shift in listmp3.c

Posted in advisories, security | Leave a comment

libming: listmp3: divide-by-zero in printMP3Headers (listmp3.c)

Posted on November 9, 2016 by ago

Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..

A fuzzing revealed a divide by zero in listmp3. The bug does not reside in any shared object but if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected.

The complete ASan output:

# listmp3 $FILE
ASAN:DEADLYSIGNAL
=================================================================
==29561==ERROR: AddressSanitizer: FPE on unknown address 0x0000004f19e8 (pc 0x0000004f19e8 bp 0x000000000000 sp 0x7ffdf0ab6340 T0)
    #0 0x4f19e7 in printMP3Headers /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:172:54
    #1 0x4f1bee in main /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:191:3
    #2 0x7f49407a361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x418ae8 in getenv (/usr/bin/listmp3+0x418ae8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:172:54 in printMP3Headers
==29561==ABORTING

Affected version:
0.4.7

Fixed version:
0.4.8

Commit fix:
https://github.com/libming/libming/commit/b0704f80ef2ec1507043df77d6519d18cf017e16

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9265

Reproducer:
https://github.com/asarubbo/poc/blob/master/00045-libming-fpe-printMP3Headers

Timeline:
2016-08-13: bug discovered
2016-10-20: bug reported to upstream
2016-11-09: blog post about the issue
2016-11-10: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libming: listmp3: divide-by-zero in printMP3Headers (listmp3.c)

Posted in advisories, security | Leave a comment

libtiff: memory allocation failure in _TIFFCheckRealloc (tif_aux.c)

Posted on November 9, 2016 by ago

Description:
libtiff is a software that provides support for the Tag Image File Format (TIFF).

During the fuzz of imagemagick, I noticed a memory allocation failure in libtiff. The issue was first reported to the imagemagick’s developers which confirmed that the issue resides in libtiff instead of imagemagick.

The complete ASan output:

# identify $FILE
==26726==ERROR: AddressSanitizer failed to allocate 0x4195c4000 (17605345280) bytes of LargeMmapAllocator (error code: 12)
==26726==Process memory map follows:
        0x000000400000-0x000000520000   /usr/bin/magick
        0x000000720000-0x000000721000   /usr/bin/magick
        0x000000721000-0x000000724000   /usr/bin/magick
        0x000000724000-0x000001397000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000                                                                                                                                                                                                                                          
        0x602000000000-0x602000010000                                                                                                                                                                                                                                          
        0x602000010000-0x603000000000                                                                                                                                                                                                                                          
        0x603000000000-0x603000010000                                                                                                                                                                                                                                          
        0x603000010000-0x604000000000                                                                                                                                                                                                                                          
        0x604000000000-0x604000020000                                                                                                                                                                                                                                          
        0x604000020000-0x606000000000                                                                                                                                                                                                                                          
        0x606000000000-0x606000020000                                                                                                                                                                                                                                          
        0x606000020000-0x607000000000                                                                                                                                                                                                                                          
        0x607000000000-0x607000010000                                                                                                                                                                                                                                          
        0x607000010000-0x608000000000                                                                                                                                                                                                                                          
        0x608000000000-0x608000010000                                                                                                                                                                                                                                          
        0x608000010000-0x60a000000000                                                                                                                                                                                                                                          
        0x60a000000000-0x60a000020000                                                                                                                                                                                                                                          
        0x60a000020000-0x60b000000000                                                                                                                                                                                                                                          
        0x60b000000000-0x60b000010000                                                                                                                                                                                                                                          
        0x60b000010000-0x60c000000000                                                                                                                                                                                                                                          
        0x60c000000000-0x60c000010000                                                                                                                                                                                                                                          
        0x60c000010000-0x60d000000000                                                                                                                                                                                                                                          
        0x60d000000000-0x60d000010000                                                                                                                                                                                                                                          
        0x60d000010000-0x60e000000000                                                                                                                                                                                                                                          
        0x60e000000000-0x60e000010000                                                                                                                                                                                                                                          
        0x60e000010000-0x60f000000000                                                                                                                                                                                                                                          
        0x60f000000000-0x60f000010000                                                                                                                                                                                                                                          
        0x60f000010000-0x610000000000                                                                                                                                                                                                                                          
        0x610000000000-0x610000010000                                                                                                                                                                                                                                          
        0x610000010000-0x611000000000                                                                                                                                                                                                                                          
        0x611000000000-0x611000010000                                                                                                                                                                                                                                          
        0x611000010000-0x612000000000                                                                                                                                                                                                                                          
        0x612000000000-0x612000010000                                                                                                                                                                                                                                          
        0x612000010000-0x613000000000                                                                                                                                                                                                                                          
        0x613000000000-0x613000010000                                                                                                                                                                                                                                          
        0x613000010000-0x614000000000                                                                                                                                                                                                                                          
        0x614000000000-0x614000020000                                                                                                                                                                                                                                          
        0x614000020000-0x615000000000                                                                                                                                                                                                                                          
        0x615000000000-0x615000020000                                                                                                                                                                                                                                          
        0x615000020000-0x616000000000                                                                                                                                                                                                                                          
        0x616000000000-0x616000020000                                                                                                                                                                                                                                          
        0x616000020000-0x618000000000                                                                                                                                                                                                                                          
        0x618000000000-0x618000020000                                                                                                                                                                                                                                          
        0x618000020000-0x619000000000                                                                                                                                                                                                                                          
        0x619000000000-0x619000020000                                                                                                                                                                                                                                          
        0x619000020000-0x61a000000000                                                                                                                                                                                                                                          
        0x61a000000000-0x61a000020000                                                                                                                                                                                                                                          
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x622000000000
        0x622000000000-0x622000020000
        0x622000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x627000000000
        0x627000000000-0x627000030000
        0x627000030000-0x629000000000
        0x629000000000-0x629000010000
        0x629000010000-0x62f000000000
        0x62f000000000-0x62f000030000
        0x62f000030000-0x640000000000
        0x640000000000-0x640000003000
        0x7fa3c74b3000-0x7fa3c7517000   /usr/lib64/libtiff.so.5.2.4
        0x7fa3c7517000-0x7fa3c7717000   /usr/lib64/libtiff.so.5.2.4
        0x7fa3c7717000-0x7fa3c7718000   /usr/lib64/libtiff.so.5.2.4
        0x7fa3c7718000-0x7fa3c771b000   /usr/lib64/libtiff.so.5.2.4
        0x7fa3c771b000-0x7fa3c771c000
        0x7fa3c771c000-0x7fa3c7786000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/tiff.so
        0x7fa3c7786000-0x7fa3c7986000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/tiff.so
        0x7fa3c7986000-0x7fa3c7988000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/tiff.so
        0x7fa3c7988000-0x7fa3c798e000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/tiff.so
        0x7fa3c798e000-0x7fa3ce000000   /usr/lib64/locale/locale-archive
        0x7fa3ce000000-0x7fa3ce100000
        0x7fa3ce200000-0x7fa3ce300000
        0x7fa3ce31d000-0x7fa3d066f000
        0x7fa3d066f000-0x7fa3d0696000   /usr/lib64/libexpat.so.1.6.0
        0x7fa3d0696000-0x7fa3d0895000   /usr/lib64/libexpat.so.1.6.0
        0x7fa3d0895000-0x7fa3d0898000   /usr/lib64/libexpat.so.1.6.0
        0x7fa3d0898000-0x7fa3d0899000   /usr/lib64/libexpat.so.1.6.0
        0x7fa3d0899000-0x7fa3d09ce000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fa3d09ce000-0x7fa3d0bce000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fa3d0bce000-0x7fa3d0bcf000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fa3d0bcf000-0x7fa3d0bd0000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fa3d0bd0000-0x7fa3d0bd1000
        0x7fa3d0bd1000-0x7fa3d0bda000   /usr/lib64/libltdl.so.7.3.1
        0x7fa3d0bda000-0x7fa3d0dd9000   /usr/lib64/libltdl.so.7.3.1
        0x7fa3d0dd9000-0x7fa3d0dda000   /usr/lib64/libltdl.so.7.3.1
        0x7fa3d0dda000-0x7fa3d0ddb000   /usr/lib64/libltdl.so.7.3.1
        0x7fa3d0ddb000-0x7fa3d0df0000   /lib64/libz.so.1.2.8
        0x7fa3d0df0000-0x7fa3d0fef000   /lib64/libz.so.1.2.8
        0x7fa3d0fef000-0x7fa3d0ff0000   /lib64/libz.so.1.2.8
        0x7fa3d0ff0000-0x7fa3d0ff1000   /lib64/libz.so.1.2.8
        0x7fa3d0ff1000-0x7fa3d1000000   /lib64/libbz2.so.1.0.6
        0x7fa3d1000000-0x7fa3d11ff000   /lib64/libbz2.so.1.0.6
        0x7fa3d11ff000-0x7fa3d1200000   /lib64/libbz2.so.1.0.6
        0x7fa3d1200000-0x7fa3d1201000   /lib64/libbz2.so.1.0.6
        0x7fa3d1201000-0x7fa3d12a8000   /usr/lib64/libfreetype.so.6.12.3
        0x7fa3d12a8000-0x7fa3d14a8000   /usr/lib64/libfreetype.so.6.12.3
        0x7fa3d14a8000-0x7fa3d14ae000   /usr/lib64/libfreetype.so.6.12.3
        0x7fa3d14ae000-0x7fa3d14af000   /usr/lib64/libfreetype.so.6.12.3
        0x7fa3d14af000-0x7fa3d14ea000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fa3d14ea000-0x7fa3d16e9000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fa3d16e9000-0x7fa3d16eb000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fa3d16eb000-0x7fa3d16ec000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fa3d16ec000-0x7fa3d18e1000   /usr/lib64/libfftw3.so.3.4.4
        0x7fa3d18e1000-0x7fa3d1ae0000   /usr/lib64/libfftw3.so.3.4.4
        0x7fa3d1ae0000-0x7fa3d1af4000   /usr/lib64/libfftw3.so.3.4.4
        0x7fa3d1af4000-0x7fa3d1af5000   /usr/lib64/libfftw3.so.3.4.4
        0x7fa3d1af5000-0x7fa3d1b03000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fa3d1b03000-0x7fa3d1d02000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fa3d1d02000-0x7fa3d1d03000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fa3d1d03000-0x7fa3d1d04000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fa3d1d04000-0x7fa3d1d57000   /usr/lib64/liblcms2.so.2.0.6
        0x7fa3d1d57000-0x7fa3d1f57000   /usr/lib64/liblcms2.so.2.0.6
        0x7fa3d1f57000-0x7fa3d1f58000   /usr/lib64/liblcms2.so.2.0.6
        0x7fa3d1f58000-0x7fa3d1f5d000   /usr/lib64/liblcms2.so.2.0.6
        0x7fa3d1f5d000-0x7fa3d20f0000   /lib64/libc-2.22.so
        0x7fa3d20f0000-0x7fa3d22f0000   /lib64/libc-2.22.so
        0x7fa3d22f0000-0x7fa3d22f4000   /lib64/libc-2.22.so
        0x7fa3d22f4000-0x7fa3d22f6000   /lib64/libc-2.22.so
        0x7fa3d22f6000-0x7fa3d22fa000
        0x7fa3d22fa000-0x7fa3d2310000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fa3d2310000-0x7fa3d250f000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fa3d250f000-0x7fa3d2510000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fa3d2510000-0x7fa3d2511000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fa3d2511000-0x7fa3d2517000   /lib64/librt-2.22.so
        0x7fa3d2517000-0x7fa3d2717000   /lib64/librt-2.22.so
        0x7fa3d2717000-0x7fa3d2718000   /lib64/librt-2.22.so
        0x7fa3d2718000-0x7fa3d2719000   /lib64/librt-2.22.so
        0x7fa3d2719000-0x7fa3d2730000   /lib64/libpthread-2.22.so
        0x7fa3d2730000-0x7fa3d292f000   /lib64/libpthread-2.22.so
        0x7fa3d292f000-0x7fa3d2930000   /lib64/libpthread-2.22.so
        0x7fa3d2930000-0x7fa3d2931000   /lib64/libpthread-2.22.so
        0x7fa3d2931000-0x7fa3d2935000
        0x7fa3d2935000-0x7fa3d2a32000   /lib64/libm-2.22.so
        0x7fa3d2a32000-0x7fa3d2c31000   /lib64/libm-2.22.so
        0x7fa3d2c31000-0x7fa3d2c32000   /lib64/libm-2.22.so
        0x7fa3d2c32000-0x7fa3d2c33000   /lib64/libm-2.22.so
        0x7fa3d2c33000-0x7fa3d2c35000   /lib64/libdl-2.22.so
        0x7fa3d2c35000-0x7fa3d2e35000   /lib64/libdl-2.22.so
        0x7fa3d2e35000-0x7fa3d2e36000   /lib64/libdl-2.22.so
        0x7fa3d2e36000-0x7fa3d2e37000   /lib64/libdl-2.22.so
        0x7fa3d2e37000-0x7fa3d32fd000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fa3d32fd000-0x7fa3d34fc000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fa3d34fc000-0x7fa3d3511000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fa3d3511000-0x7fa3d3553000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fa3d3553000-0x7fa3d40e6000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fa3d40e6000-0x7fa3d42e5000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fa3d42e5000-0x7fa3d431e000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fa3d431e000-0x7fa3d4390000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fa3d4390000-0x7fa3d4393000
        0x7fa3d4393000-0x7fa3d43b5000   /lib64/ld-2.22.so
        0x7fa3d44ad000-0x7fa3d44cd000
        0x7fa3d44cd000-0x7fa3d44f0000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7fa3d44f0000-0x7fa3d44f1000
        0x7fa3d44f5000-0x7fa3d45a7000
        0x7fa3d45a7000-0x7fa3d45b4000
        0x7fa3d45b4000-0x7fa3d45b5000   /lib64/ld-2.22.so
        0x7fa3d45b5000-0x7fa3d45b6000   /lib64/ld-2.22.so
        0x7fa3d45b6000-0x7fa3d45b7000
        0x7fff923b9000-0x7fff923da000   [stack]
        0x7fff923de000-0x7fff923e0000   [vvar]
        0x7fff923e0000-0x7fff923e2000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==26726==End of process memory map.
==26726==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x4244ea in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x4244ea in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x4244ea in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x4c09e1 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79
    #8 0x7fa3c74badcb in _TIFFCheckRealloc /tmp/portage/media-libs/tiff-4.0.6/work/tiff-4.0.6/libtiff/tif_aux.c:73
    #9 0x7fa3c74c8599 in ChopUpSingleUncompressedStrip /tmp/portage/media-libs/tiff-4.0.6/work/tiff-4.0.6/libtiff/tif_dirread.c:5519
    #10 0x7fa3c74c8599 in TIFFReadDirectory /tmp/portage/media-libs/tiff-4.0.6/work/tiff-4.0.6/libtiff/tif_dirread.c:4032
    #11 0x7fa3c74e1d21 in TIFFClientOpen /tmp/portage/media-libs/tiff-4.0.6/work/tiff-4.0.6/libtiff/tif_open.c:466
    #12 0x7fa3c7731955 in ReadTIFFImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/tiff.c:1160:8
    #13 0x7fa3d37beb12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #14 0x7fa3d3f56406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #15 0x7fa3d37bd5ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #16 0x7fa3d37bde25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #17 0x7fa3d30434c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #18 0x7fa3d30d926a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #19 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #20 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #21 0x7fa3d1f7d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #22 0x419138 in _init (/usr/bin/magick+0x419138)

Affected version:
4.0.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00032-libtiff-memalloc-_TIFFCheckRealloc

Timeline:
2016-09-14: bug discovered
2016-11-04: bug reported to upstream
2016-11-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: memory allocation failure in _TIFFCheckRealloc (tif_aux.c)

Posted in advisories, security | Leave a comment

libming: listmp3: global-buffer-overflow in printMP3Headers (listmp3.c)

Posted on November 7, 2016 by ago

Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..

A fuzzing revealed a global buffer overflow in listmp3. The bug does not reside in any shared object but if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected.

The complete ASan output:

# listmp3 $FILE
==29519==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000722e0c at pc 0x0000004f1a99 bp 0x7ffe42b1d7f0 sp 0x7ffe42b1d7e8
READ of size 4 at 0x000000722e0c thread T0
    #0 0x4f1a98 in printMP3Headers /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:128:20
    #1 0x4f1bee in main /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:191:3
    #2 0x7fe262a4761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x418ae8 in getenv (/usr/bin/listmp3+0x418ae8)

0x000000722e0c is located 52 bytes to the left of global variable 'mp2_samplerate_table' defined in 'listmp3.c:44:5' (0x722e40) of size 12
0x000000722e0c is located 0 bytes to the right of global variable 'mp1_samplerate_table' defined in 'listmp3.c:43:5' (0x722e00) of size 12
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:128:20 in printMP3Headers
Shadow bytes around the buggy address:
  0x0000800dc570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc580: 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9
  0x0000800dc590: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x0000800dc5a0: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 04
  0x0000800dc5b0: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
=>0x0000800dc5c0: 00[04]f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x0000800dc5d0: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800dc5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                                                  
==29519==ABORTING                                                                                                                                                                                                                                                              
frame 1: MP25 layer 1, 8000 Hz, 0kbps, mono, length=0, protect off

Affected version:
0.4.7

Fixed version:
0.4.8

Commit fix:
https://github.com/libming/libming/commit/19e7127e29122be571c87bfb90bca9581417d220

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9264

Reproducer:
https://github.com/asarubbo/poc/blob/master/00034-libming-globaloverflow-printMP3Headers

Timeline:
2016-08-13: bug discovered
2016-10-20: bug reported to upstream
2016-11-07: blog post about the issue
2016-11-10: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libming: listmp3: global-buffer-overflow in printMP3Headers (listmp3.c)

Posted in advisories, security | Leave a comment