[Bug 1459747] Re: Integer and Buffer overflow in coders/icon.c

Moshe Kaplan 1459747 at bugs.launchpad.net
Mon Aug 31 21:20:36 UTC 2015 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1459747

Title:
  Integer and Buffer overflow in coders/icon.c

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  Bug summary: Memory is allocated based on the sum of a user-supplied
  value and a fixed value.  That sum can overflow, causing only a small
  amount of memory to be allocated, while the program assumes more was
  allocated.

  The bug is present in both Ubuntu's release 6.8.9.9 and the most
  recent release of Imagemagick, Version 6.9.1-3

  This bug was found by examining code that matched the following regex:
  AcquireQuantumMemory\(([a-zA-Z0-9>-]+)[*+]([a-zA-Z0-9]+)

  
  Technical details:
  On line 313, icon_file.directory[i].size=ReadBlobLSBLong(image); reads in a 4byte value from the image and stores it in icon_file.directory[i].size.
  On line 361, length=icon_file.directory[i].size; sets the value of `length` to the value stored in icon_file.directory[i].size: 
  On line 362, png=(unsigned char *) AcquireQuantumMemory(length+16,sizeof(*png)); adds 16 to length and allocates that amount of *png structures.

  However, if length+16 overflows (for example, length == 2^32 - 15), it will only allocate memory for a single *png.
  This is a problem, because the following lines assume that at least 16 bytes was allocated:

  (void) CopyMagickMemory(png,"\211PNG\r\n\032\n\000\000\000\015",12);
  png[12]=(unsigned char) icon_info.planes;
  png[13]=(unsigned char) (icon_info.planes >> 8);
  png[14]=(unsigned char) icon_info.bits_per_pixel;
  png[15]=(unsigned char) (icon_info.bits_per_pixel >> 8);

  And then the following line has a call to ReadBlob, and since
  length-16 will underflow (and the length is treated as a size_t), it
  will effectively execute a strcpy with the remaining data in the image
  file.

  count=ReadBlob(image,length-16,png+16);


  Stack traces:

  
  Ubuntu release (v6.8.9.9):
  Error: lt-convert: malloc.c:3530: _int_malloc: Assertion `(fwd->size & 0x4) == 0' failed.

  user at ubuntu15:~$ libtool execute gdb
  ~/Downloads/imagemagick-6.8.9.9/utilities/convert

  gdb$ r corruption.ico /dev/null
  Starting program: /home/user/Downloads/imagemagick-6.8.9.9/utilities/.libs/lt-convert corruption.ico /dev/null
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
  lt-convert: malloc.c:3530: _int_malloc: Assertion `(fwd->size & 0x4) == 0' failed.
  [New Thread 0xb4b89b40 (LWP 27859)]

  Program received signal SIGABRT, Aborted.
  --------------------------------------------------------------------------[regs]
    EAX: 0x00000000  EBX: 0x00006CCF  ECX: 0x00006CCF  EDX: 0x00000006  o d I t s z a P c 
    ESI: 0xB78B88A6  EDI: 0xB790F000  EBP: 0xB78B761C  ESP: 0xBFFF2514  EIP: 0xB7FDBBE0
    CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
  --------------------------------------------------------------------------[code]
  => 0xb7fdbbe0 <__kernel_vsyscall+16>:	pop    ebp
     0xb7fdbbe1 <__kernel_vsyscall+17>:	pop    edx
     0xb7fdbbe2 <__kernel_vsyscall+18>:	pop    ecx
     0xb7fdbbe3 <__kernel_vsyscall+19>:	ret    
     0xb7fdbbe4:	int3   
     0xb7fdbbe5:	cli    
     0xb7fdbbe6:	(bad)  
     0xb7fdbbe7:	call   DWORD PTR [eax+eax*1]
  --------------------------------------------------------------------------------
  0xb7fdbbe0 in __kernel_vsyscall ()
  gdb$ bt
  #0  0xffffffff in __kernel_vsyscall ()
  #1  0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
  #2  0xffffffff in __GI_abort () at abort.c:89
  #3  0xffffffff in __malloc_assert (assertion=assertion at entry=0xb78b863b "(fwd->size & 0x4) == 0", file=file at entry=0xb78b850b "malloc.c", line=0xdca, function=0xb78b88a6 <__func__.11176> "_int_malloc") at malloc.c:297
  #4  0xffffffff in _int_malloc (av=av at entry=0xb790f840 <main_arena>, bytes=bytes at entry=0x4104) at malloc.c:3530
  #5  0xffffffff in __GI___libc_malloc (bytes=0x4104) at malloc.c:2895
  #6  0xffffffff in AcquireMagickMemory (size=0x4104) at magick/memory.c:464
  #7  0xffffffff in AcquireImageInfo () at magick/image.c:334
  #8  0xffffffff in CloneImageInfo (image_info=0x805e458) at magick/image.c:939
  #9  0xffffffff in ReadICONImage (image_info=0x805e458, exception=0x80538d8) at coders/icon.c:362
  #10 0xffffffff in ReadImage (image_info=0x805a350, exception=0x80538d8) at magick/constitute.c:547
  #11 0xffffffff in ReadImages (image_info=0x805a350, exception=0x80538d8) at magick/constitute.c:853
  #12 0xffffffff in ConvertImageCommand (image_info=0x2, argc=0x3, argv=0x8054ce8, metadata=0x0, exception=0x80538d8) at wand/convert.c:622
  #13 0xffffffff in MagickCommandGenesis (image_info=0x8056248, command=0x8048620 <ConvertImageCommand at plt>, argc=0x3, argv=0xbffff054, metadata=0x0, exception=0x80538d8) at wand/mogrify.c:168
  #14 0x080486ec in main (argv=0xbffff054, argc=<optimized out>) at utilities/convert.c:81
  #15 0x080486ec in main (argc=0x3, argv=0xbffff054) at utilities/convert.c:92

  
  Newest release: Version 6.9.1-3
  Error: *** Error in `/home/user/Desktop/ImageMagick-6.9.1-3/utilities/.libs/lt-convert': corrupted double-linked list: 0x080833f8 ***

  gdb$ r corruption.ico /dev/null
  Starting program: /home/user/Desktop/ImageMagick-6.9.1-3/utilities/.libs/lt-convert corruption.ico /dev/null
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
  *** Error in `/home/user/Desktop/ImageMagick-6.9.1-3/utilities/.libs/lt-convert': corrupted double-linked list: 0x080833f8 ***
  [New Thread 0xb4b95b40 (LWP 27765)]

  Program received signal SIGABRT, Aborted.
  --------------------------------------------------------------------------[regs]
    EAX: 0x00000000  EBX: 0x00006C71  ECX: 0x00006C71  EDX: 0x00000006  o d I t s z a P c 
    ESI: 0x0000007F  EDI: 0xB78F0000  EBP: 0xBFFF2608  ESP: 0xBFFF2344  EIP: 0xB7FDBBE0
    CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
  --------------------------------------------------------------------------[code]
  => 0xb7fdbbe0 <__kernel_vsyscall+16>:	pop    ebp
     0xb7fdbbe1 <__kernel_vsyscall+17>:	pop    edx
     0xb7fdbbe2 <__kernel_vsyscall+18>:	pop    ecx
     0xb7fdbbe3 <__kernel_vsyscall+19>:	ret    
     0xb7fdbbe4:	int3   
     0xb7fdbbe5:	cli    
     0xb7fdbbe6:	(bad)  
     0xb7fdbbe7:	call   DWORD PTR [eax+eax*1]
  --------------------------------------------------------------------------------
  0xb7fdbbe0 in __kernel_vsyscall ()
  gdb$ bt
  #0  0xffffffff in __kernel_vsyscall ()
  #1  0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
  #2  0xffffffff in __GI_abort () at abort.c:89
  #3  0xffffffff in __libc_message (do_abort=0x1, fmt=0xb789d444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
  #4  0xffffffff in malloc_printerr (action=<optimized out>, str=0xb7899549 "corrupted double-linked list", ptr=0x80833f8) at malloc.c:4965
  #5  0xffffffff in malloc_consolidate (av=av at entry=0xb78f0840 <main_arena>) at malloc.c:4142
  #6  0xffffffff in _int_malloc (av=av at entry=0xb78f0840 <main_arena>, bytes=bytes at entry=0x4104) at malloc.c:3417
  #7  0xffffffff in __GI___libc_malloc (bytes=0x4104) at malloc.c:2895
  #8  0xffffffff in AcquireMagickMemory (size=0x4104) at magick/memory.c:464
  #9  0xffffffff in AcquireImageInfo () at magick/image.c:334
  #10 0xffffffff in CloneImageInfo (image_info=0x8061980) at magick/image.c:939
  #11 0xffffffff in ReadICONImage (image_info=0x8061980, exception=0x80535d8) at coders/icon.c:384
  #12 0xffffffff in ReadImage (image_info=0x805d878, exception=0x80535d8) at magick/constitute.c:547
  #13 0xffffffff in ReadImages (image_info=0x8059590, exception=0x80535d8) at magick/constitute.c:851
  #14 0xffffffff in ConvertImageCommand (image_info=0x2, argc=0x3, argv=0x8054d28, metadata=0x0, exception=0x80535d8) at wand/convert.c:622
  #15 0xffffffff in MagickCommandGenesis (image_info=0x8055488, command=0x8048620 <ConvertImageCommand at plt>, argc=0x3, argv=0xbffff054, metadata=0x0, exception=0x80535d8) at wand/mogrify.c:168
  #16 0x080486ec in main (argv=0xbffff054, argc=<optimized out>) at utilities/convert.c:81
  #17 0x080486ec in main (argc=0x3, argv=0xbffff054) at utilities/convert.c:92

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747/+subscriptions

More information about the foundations-bugs mailing list