Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Feb 2014 13:00:25 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: information on "ImageMagick PSD Images Processing RLE Decoding Buffer
 Overflow Vulnerability"

Good morning,

Does anyone have further information about 
<http://secunia.com/advisories/56844/>? (I could not get the 
http://freecode.com/projects/imagemagick/tags/bugfixes link to show 
anything useful.)

diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c:

""
@@ -1224,7 +1224,7 @@
                Allocate layered image.
              */
              layer_info[i].image=CloneImage(image,layer_info[i].page.width,
-              layer_info[i].page.height == ~0U ? 1 : 
layer_info[i].page.height,
+              layer_info[i].page.height == ~0UL ? 1 : 
layer_info[i].page.height,
                MagickFalse,&image->exception);
              if (layer_info[i].image == (Image *) NULL)
                {
@@ -2112,9 +2112,6 @@
    StringInfo
      *bim_profile;

-  unsigned char
-    layer_name[4];
-
    /*
      Open image file.
    */
@@ -2372,12 +2369,15 @@
          property=(const char *) GetImageProperty(next_image,"label");
          if (property == (const char *) NULL)
            {
+            char
+              layer_name[MaxTextExtent];
+
              (void) WriteBlobMSBLong(image,16);
              (void) WriteBlobMSBLong(image,0);
              (void) WriteBlobMSBLong(image,0);
-            (void) FormatLocaleString((char *) layer_name,MaxTextExtent,
-              "L%06ld",(long) layer_count++);
-            WritePascalString( image, (char*)layer_name, 4 );
+            (void) 
FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)
+              layer_count++);
+            WritePascalString(image,layer_name,4);
            }
          else
            {

""

Would the issue have been writing the amount of 6 long ints into the 4 
byte layer_name buffer?

Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using 
"L%02ld" instead of "L%06ld", but that's still 4 bytes too many before 
the layer_name[MaxTextExtent]; change.

Could a CVE please be assigned if it has not been already?

Sorry for missing anything obvious.

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ