Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.GSO.2.20.1610070832040.3266@freddy.simplesystems.org>
Date: Fri, 7 Oct 2016 08:35:33 -0500 (CDT)
From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
To: oss-security@...ts.openwall.com
Subject: GraphicsMagick CVE Request - WPG Reader Issues

Two security issues have been discovered in the WPG format reader in
GraphicsMagick 1.3.25 (and earlier):

1. In a build with QuantumDepth=8 (the default), there is no check
    that the provided colormap is not larger than 256 entries,
    resulting in potential heap overflow.  This problem does not occur
    with larger QuantumDepth values.

2. The assertion:

    ReferenceBlob: Assertion `blob != (BlobInfo *) NULL' failed.

    is thrown (causing a crash) for some files due to a logic error
    which leads to passing a NULL pointer where a NULL pointer is not
    allowed.

These issues were discovered using American Fuzzy Lop by fuzzing with
the corpus by Moshe Kaplan discovered on Github at
https://github.com/moshekaplan/FuzzGraphicsMagick.

A patch resolving the two above issues is attached.

Bob
-- 
Bob Friesenhahn
bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
View attachment "wpg.c.patch" of type "text/plain" (6399 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.