|
Message-ID: <CACn5sdQtnriS6yC4Hh0GNk6SZVT1Xfvvzsi26iP-hNt7S_u6xA@mail.gmail.com>
Date: Sat, 6 Feb 2016 15:18:22 +0100
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Out-of-bound read in the parsing of gif files using
GraphicsMagick 1.3.18
Test case to reproduce this is attached here, sorry!
2016-02-06 14:42 GMT+01:00 Gustavo Grieco <gustavo.grieco@...il.com>:
> Hi,
>
> We found a read out-of-bound in the parsing of gif files using
> GraphicsMagick. This issue was tested in Ubuntu 14.04 (x86_64) using
> GraphicsMagick 1.3.18. Find attached a specially crafted file to reproduce
> this issue. The AddressSanitizer report showing the faulty code is here:
>
> $ ./gm identify overflow.gif
> =================================================================
> ==3173==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6210000037be at pc 0x0000007e5f56 bp 0x7fffffffa940 sp 0x7fffffffa938
> READ of size 1 at 0x6210000037be thread T0
> #0 0x7e5f55 in DecodeImage coders/gif.c:276
> #1 0x7ebdac in ReadGIFImage coders/gif.c:1075
> #2 0x490fc6 in ReadImage magick/constitute.c:1600
> #3 0x48fcd0 in PingImage magick/constitute.c:1363
> #4 0x43fc25 in IdentifyImageCommand magick/command.c:8350
> #5 0x4427b9 in MagickCommand magick/command.c:8840
> #6 0x47c4d6 in GMCommandSingle magick/command.c:17253
> #7 0x47c79c in GMCommand magick/command.c:17306
> #8 0x40c8c5 in main utilities/gm.c:61
> #9 0x7ffff3739ec4 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #10 0x40c7d8
> (/home/vagrant/repos/graphicsmagick-1.3.18/utilities/gm+0x40c7d8)
> AddressSanitizer can not describe address in more detail (wild memory
> access suspected).
> SUMMARY: AddressSanitizer: heap-buffer-overflow coders/gif.c:276
> DecodeImage
> Shadow bytes around the buggy address:
> 0x0c427fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c427fff86f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
> 0x0c427fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==3173==ABORTING
>
> This issue is caused by the use of unintialized memory in DecodeImage and
> fortunately it was fixed here:
>
> http://marc.info/?l=graphicsmagick-commit&m=142283721604323&w=2
>
> Regards,
> Gus.
>
Content of type "text/html" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.