{"id":636,"date":"2016-10-07T11:29:16","date_gmt":"2016-10-07T09:29:16","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=636"},"modified":"2016-10-16T11:41:45","modified_gmt":"2016-10-16T09:41:45","slug":"imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/07\/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c\/","title":{"rendered":"imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c)"},"content":{"rendered":"

Description<\/strong>:
\nimagemagick<\/a> is a software suite to create, edit, compose, or convert bitmap images.<\/p>\n

A fuzzing with the upstream security policy<\/a> enabled revealed a memory allocate failure.<\/p>\n

The complete ASan output:<\/p>\n

# identify $FILE\r\n==25084==WARNING: AddressSanitizer failed to allocate 0x46bf39483ac bytes                                                                                                                                                                                                      \r\n==25084==AddressSanitizer's allocator is terminating the process instead of returning 0                                                                                                                                                                                        \r\n==25084==If you don't like this behavior set allocator_may_return_null=1                                                                                                                                                                                                       \r\n==25084==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_allocator.cc:147 \"((0)) != (0)\" (0x0, 0x0)                                                                            \r\n    #0 0x4c9f9d in AsanCheckFailed \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_rtl.cc:67                                                                                                                                   \r\n    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:159                              \r\n    #2 0x4ce826 in __sanitizer::ReportAllocatorCannotReturnNull() \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_allocator.cc:147                                                                            \r\n    #3 0x421bfc in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1317                                                                                                                                                                                                   \r\n    #4 0x421bfc in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:359                       \r\n    #5 0x421bfc in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:718                                                                       \r\n    #6 0x4c0661 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:53                                                                                                                                   \r\n    #7 0x7f76c7533ff4 in AcquireQuantumPixels \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/quantum.c:175:47                                                                                                                                  \r\n    #8 0x7f76c7533ff4 in SetQuantumDepth \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/quantum.c:693                                                                                                                                          \r\n    #9 0x7f76c7532676 in AcquireQuantumInfo \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/quantum.c:125:10                                                                                                                                    \r\n    #10 0x7f76baf3607e in ReadTIFFImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/coders\/tiff.c:1431:18                                                                                                                                              \r\n    #11 0x7f76c7067b12 in ReadImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/constitute.c:496:13\r\n    #12 0x7f76c77ff406 in ReadStream \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/stream.c:1012:9\r\n    #13 0x7f76c70665ca in PingImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/constitute.c:226:9\r\n    #14 0x7f76c7066e25 in PingImages \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/constitute.c:326:10\r\n    #15 0x7f76c68ec4c3 in IdentifyImageCommand \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickWand\/identify.c:319:18\r\n    #16 0x7f76c698226a in MagickCommandGenesis \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickWand\/mogrify.c:183:14\r\n    #17 0x4f1fb5 in MagickMain \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/utilities\/magick.c:145:10\r\n    #18 0x4f1fb5 in main \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/utilities\/magick.c:176\r\n    #19 0x7f76c582661f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #20 0x419138 in _init (\/usr\/bin\/magick+0x419138)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n7.0.3.0<\/p>\n
Fixed version:<\/strong>
\n7.0.3.1<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/ImageMagick\/ImageMagick\/commit\/6e48aa92ff4e6e95424300ecd52a9ea453c19c60<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8677<\/p>\n
Timeline:<\/strong>
\n2016-09-14: bug discovered
\n2016-09-14: bug reported to upstream
\n2016-09-16: upstream released a patch
\n2016-09-21: upstream released 7.0.3.1
\n2016-10-07: blog post about the issue
\n2016-10-16: CVE Assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c)<\/a><\/p><\/blockquote>\n