{"id":540,"date":"2016-09-15T17:53:49","date_gmt":"2016-09-15T15:53:49","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=540"},"modified":"2016-10-16T14:14:05","modified_gmt":"2016-10-16T12:14:05","slug":"graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/15\/graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c\/","title":{"rendered":"graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.graphicsmagick.org\/\">Graphicsmagick<\/a> is an Image Processing System.<\/p>\n<p>After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a stack-buffer-overflow.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># gm identify $FILE\r\n==23362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffaab3b8e0 at pc 0x000000453e36 bp 0x7fffaab3b570 sp 0x7fffaab3ad20\r\nREAD of size 769 at 0x7fffaab3b8e0 thread T0\r\n    #0 0x453e35 in StrtolFixAndCheck \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:2596\r\n    #1 0x4545c1 in __interceptor_strtol \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:633\r\n    #2 0x7f73e9a847df in ReadSCTImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/coders\/sct.c:191:19\r\n    #3 0x7f73f473eb13 in ReadImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/constitute.c:1607:13\r\n    #4 0x7f73f473ca94 in PingImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/constitute.c:1370:9\r\n    #5 0x7f73f4651b25 in IdentifyImageCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:8375:17\r\n    #6 0x7f73f465797c in MagickCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:8865:17\r\n    #7 0x7f73f46cf6fe in GMCommandSingle \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:17379:10\r\n    #8 0x7f73f46cd926 in GMCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/magick\/command.c:17432:16\r\n    #9 0x7f73f352a61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #10 0x418c88 in _init (\/usr\/bin\/gm+0x418c88)\r\n\r\nAddress 0x7fffaab3b8e0 is located in stack of thread T0 at offset 800 in frame\r\n    #0 0x7f73e9a8399f in ReadSCTImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.25\/work\/GraphicsMagick-1.3.25\/coders\/sct.c:126\r\n\r\n  This frame has 2 object(s):\r\n    [32, 800) 'buffer'\r\n    [928, 930) 'magick' 0x10007555f710: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2\r\n  0x10007555f720: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 02 f3 f3 f3\r\n  0x10007555f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x10007555f740: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 f2\r\n  0x10007555f750: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x10007555f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==23362==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.3.25<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n1.3.26 ( not yet released)<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"http:\/\/hg.code.sf.net\/p\/graphicsmagick\/code\/rev\/0a0dfa81906d\">http:\/\/hg.code.sf.net\/p\/graphicsmagick\/code\/rev\/0a0dfa81906d<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-8682<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-09-09: bug discovered<br \/>\n2016-09-09: bug reported privately to upstream<br \/>\n2016-09-10: no upstream response<br \/>\n2016-09-15: blog post about the issue<br \/>\n2016-10-16: CVE Assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"owhzuHcjWQ\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/15\/graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c\/\">graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/09\/15\/graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c\/embed\/#?secret=owhzuHcjWQ\" data-secret=\"owhzuHcjWQ\" width=\"600\" height=\"338\" title=\"&#8220;graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Graphicsmagick is an Image Processing System. After the first round of fuzzing where I discovered some slowness issues that make the fuzz hard, the second round revealed a stack-buffer-overflow. The complete ASan output: # gm identify $FILE ==23362==ERROR: AddressSanitizer: &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/09\/15\/graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-8I","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/540"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=540"}],"version-history":[{"count":4,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/540\/revisions"}],"predecessor-version":[{"id":733,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/540\/revisions\/733"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}