Heap buffer overflow in GetNextToken()

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
fumfel
Posts: 12
Joined: 2016-09-20T06:30:11-07:00
Authentication code: 1151

Heap buffer overflow in GetNextToken()

Post by fumfel » 2017-09-18T23:46:42-07:00

After some fuzz testing I found a crashing test case.

Git HEAD: 4e46ad9dd95d68c1c8c630e6d27338ae3f57d5c7

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command:

Code: Select all

convert im_hbo_GetNextToken.svg /dev/null
Faulting input: https://frankowicz.me/storage/crashes/i ... tToken.svg

ASAN:

Code: Select all

==6443==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210001054ff at pc 0x7f08fa275abc bp 0x7ffc8276d4f0 sp 0x7ffc8276d4e8
WRITE of size 1 at 0x6210001054ff thread T0
    #0 0x7f08fa275abb in GetNextToken XYZ/ImageMagick/MagickCore/token.c:314:24
    #1 0x7f08f9de38ed in DrawImage XYZ/ImageMagick/MagickCore/draw.c:2023:13
    #2 0x7f08fa527922 in ReadMVGImage XYZ/ImageMagick/coders/mvg.c:221:10
    #3 0x7f08f9d19274 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #4 0x7f08fa6399ea in ReadSVGImage XYZ/ImageMagick/coders/svg.c:3273:13
    #5 0x7f08f9d19274 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #6 0x7f08f9d1c931 in ReadImages XYZ/ImageMagick/MagickCore/constitute.c:866:9
    #7 0x7f08f9328b67 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:641:18
    #8 0x7f08f94e49a5 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #9 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #10 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #11 0x7f08f4d4382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41a338 in _start (/usr/local/bin/magick+0x41a338)

0x6210001054ff is located 1 bytes to the left of 4255-byte region [0x621000105500,0x62100010659f)
allocated by thread T0 here:
    #0 0x4c103c in __interceptor_malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x7f08f9f9cb74 in AcquireMagickMemory XYZ/ImageMagick/MagickCore/memory.c:464:10
    #2 0x7f08f9f9cb74 in AcquireQuantumMemory XYZ/ImageMagick/MagickCore/memory.c:537
    #3 0x7f08fa527922 in ReadMVGImage XYZ/ImageMagick/coders/mvg.c:221:10
    #4 0x7f08f9d19274 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #5 0x7f08fa6399ea in ReadSVGImage XYZ/ImageMagick/coders/svg.c:3273:13
    #6 0x7f08f9d19274 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #7 0x7f08f9d1c931 in ReadImages XYZ/ImageMagick/MagickCore/constitute.c:866:9
    #8 0x7f08f9328b67 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:641:18
    #9 0x7f08f94e49a5 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #10 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #11 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #12 0x7f08f4d4382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/ImageMagick/MagickCore/token.c:314:24 in GetNextToken
Shadow bytes around the buggy address:
  0x0c4280018a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280018a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280018a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280018a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280018a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4280018a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4280018aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280018ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280018ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280018ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280018ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6443==ABORTING
Regards,
Kamil Frankowicz

User avatar
magick
Site Admin
Posts: 10690
Joined: 2003-05-31T11:32:55-07:00

Re: Heap buffer overflow in GetNextToken()

Post by magick » 2017-09-19T04:04:23-07:00

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Post Reply