{"id":752,"date":"2016-10-20T09:22:27","date_gmt":"2016-10-20T07:22:27","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=752"},"modified":"2016-12-01T16:07:39","modified_gmt":"2016-12-01T14:07:39","slug":"imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/20\/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862\/","title":{"rendered":"imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862)"},"content":{"rendered":"

Description<\/strong>:
\nimagemagick<\/a> is a software suite to create, edit, compose, or convert bitmap images.<\/p>\n

Another round of fuzzing pointed out that the memory allocation failure I discovered is still reproducible in the 7.0.3.4 version.
\nAs usual, the upstream security policy<\/a> are enabled.<\/p>\n

The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):<\/p>\n

# identify $FILE\r\n   #9 0x7f467fd11c67 in AcquireMagickMemory \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickCore\/memory.c:460:10\r\n    #10 0x7f467fd11c67 in AcquireQuantumMemory \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickCore\/memory.c:533\r\n    #11 0x7f4673379018 in ReadRLEImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/coders\/rle.c:267:36\r\n    #12 0x7f467faeca85 in ReadImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickCore\/constitute.c:496:13\r\n    #13 0x7f467fff4def in ReadStream \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickCore\/stream.c:1012:9\r\n    #14 0x7f467faeb69d in PingImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickCore\/constitute.c:226:9\r\n    #15 0x7f467faebeae in PingImages \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickCore\/constitute.c:326:10\r\n    #16 0x7f467f40f4da in IdentifyImageCommand \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickWand\/identify.c:319:18\r\n    #17 0x7f467f48a844 in MagickCommandGenesis \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/MagickWand\/mogrify.c:183:14\r\n    #18 0x4f1fae in MagickMain \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/utilities\/magick.c:145:10\r\n    #19 0x4f1fae in main \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.4\/work\/ImageMagick-7.0.3-4\/utilities\/magick.c:176\r\n    #20 0x7f467e35d61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #21 0x4192a8 in _init (\/usr\/bin\/magick+0x4192a8)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n7.0.3.4<\/p>\n
Fixed version:<\/strong>
\n7.0.3.8<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/ImageMagick\/ImageMagick\/commit\/ab2c9d6a8dd6d71b161ec9cc57a588b116b52322<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8866<\/p>\n
Timeline:<\/strong>
\n2016-10-13: bug re-discovered
\n2016-10-13: bug re-reported to upstream
\n2016-10-20: blog post about the issue
\n2016-10-21: CVE assigned
\n2016-11-21: upstream released a patch
\n2016-11-25: upstream released 7.0.3.8<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862)<\/a><\/p><\/blockquote>\n