[Bug 1533450] Re: heap-buffer-overflow in coders/psd.c:2240 PSDPackbitsEncodeImage

Moshe Kaplan mk.moshe.kaplan at gmail.com
Wed Jan 13 03:12:42 UTC 2016 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1533450

Title:
  heap-buffer-overflow in coders/psd.c:2240 PSDPackbitsEncodeImage

Status in imagemagick package in Ubuntu:
  New

Bug description:
  This bug was found while fuzzing ImageMagick with afl-fuzz

  Tested on ImageMagick version d8382f9c0ffa52057271a6a323e7e062f0fe4ff6

  Command: magick infile /dev/null

  Build info:

  #Configure command:
  CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --with-bzlib=no --with-djvu=no --with-dps=no --with-fftw=no --with-fpx=no --with-fontconfig=no --with-freetype=no --with-gvc=no --with-jbig=no --with-jpeg=no --with-lcms=no --with-lqr=no --with-ltdl=no --with-lzma=no --with-openexr=no --with-openjp2=no --with-pango=no --with-png=no --with-tiff=no --with-wmf=no --with-x=no --with-xml=no --with-zlib=no --enable-hdri=no --enable-shared=no

  #Make command:
  CC=afl-clang-fast CXX=afl-clang-fast++ make

  
  ASAN output:

  =================================================================
  ==11236==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c0b992 at pc 0x8772e2a bp 0xbf9c1268 sp 0xbf9c1260
  WRITE of size 1 at 0xb5c0b992 thread T0
      #0 0x8772e29 in PSDPackbitsEncodeImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2240
      #1 0x876fb3b in WritePackbitsLength /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2279
      #2 0x876c48d in WriteImageChannels /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2379
      #3 0x8768fdc in WritePSDImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2959
      #4 0x8a96298 in WriteImage /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1091
      #5 0x8a99c7c in WriteImages /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1309
      #6 0x9375b7f in CLINoImageOperator /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:4697
      #7 0x937d98f in CLIOption /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:5157
      #8 0x910bea3 in ProcessCommandOptions /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:526
      #9 0x910e325 in MagickImageCommand /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:786
      #10 0x9112809 in MagickCommandGenesis /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/mogrify.c:172
      #11 0x80de10d in MagickMain /home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick.c:74
      #12 0x80de10d in main /home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick.c:85
      #13 0xb7539a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
      #14 0x80ddf34 in _start (/home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick+0x80ddf34)

  0xb5c0b992 is located 0 bytes to the right of 2-byte region [0xb5c0b990,0xb5c0b992)
  allocated by thread T0 here:
      #0 0x80c6b61 in malloc (/home/user/Desktop/imagemagick_reporting/ImageMagick/utilities/magick+0x80c6b61)
      #1 0x81939e9 in AcquireMagickMemory /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/memory.c:463
      #2 0x81939e9 in AcquireQuantumMemory /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/memory.c:539
      #3 0x8768fdc in WritePSDImage /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2959
      #4 0x8a96298 in WriteImage /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1091
      #5 0x8a99c7c in WriteImages /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickCore/constitute.c:1309
      #6 0x9375b7f in CLINoImageOperator /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:4697
      #7 0x937d98f in CLIOption /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/operation.c:5157
      #8 0x910bea3 in ProcessCommandOptions /home/user/Desktop/imagemagick_reporting/ImageMagick/MagickWand/magick-cli.c:526

  SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/imagemagick_reporting/ImageMagick/coders/psd.c:2240 PSDPackbitsEncodeImage
  Shadow bytes around the buggy address:
    0x36b816e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 01
    0x36b816f0: fa fa 00 00 fa fa 00 00 fa fa 00 03 fa fa 00 00
    0x36b81700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x36b81710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x36b81720: fa fa fa fa fa fa fa fa fa fa 00 04 fa fa 04 fa
  =>0x36b81730: fa fa[02]fa fa fa fd fd fa fa fd fa fa fa fd fd
    0x36b81740: fa fa fd fa fa fa 00 00 fa fa 00 04 fa fa 00 00
    0x36b81750: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
    0x36b81760: fa fa 00 04 fa fa 00 07 fa fa fd fa fa fa 00 00
    0x36b81770: fa fa 00 06 fa fa 00 00 fa fa 00 06 fa fa 00 00
    0x36b81780: fa fa 00 04 fa fa 00 00 fa fa 00 03 fa fa 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:     fa
    Heap right redzone:    fb
    Freed heap region:     fd
    Stack left redzone:    f1
    Stack mid redzone:     f2
    Stack right redzone:   f3
    Stack partial redzone: f4
    Stack after return:    f5
    Stack use after scope: f8
    Global redzone:        f9
    Global init order:     f6
    Poisoned by user:      f7
    ASan internal:         fe
  ==11236==ABORTING

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1533450/+subscriptions

More information about the foundations-bugs mailing list