Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 13:53:28 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)

https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html

Further fuzzing of ImageMagick uncovered some more issues.

An out of bounds memory read in the VerticalFilter() function can be
triggered by a malformed DDS file.
https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-VerticalFilter.dds
Sample file
https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b
Git commit / fix This was fixed in versions 7.0.1-4 and 6.9.4-3.

Several bugs in the WPG parser could lead to a heap overflow and random
invalid memory writes. These bugs only seem to appear when a memory
limit is set.
https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg
Sample for heap write overflow in SetPixelIndex
https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg
Sample for unclear invalid write in ScaleCharToQuantum
https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg
Sample for unclear invalid write in SetPixelIndex
https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
Git commit / fix 1
https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f
Git commit / fix 2 These issues were fixed in versions 7.0.1-4 and
6.9.4-3.

Null pointer accesses and unclear segfaults can happen in the DCM
parser.
https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3220.dcm
Sample for null pointer access in ReadDCMImage
https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3240.dcm
Sample for null pointer access in ReadDCMImage (different code)
https://crashes.fuzzing-project.org/imagemagick-segv-ReadDCMImage-3968.dcm
Sample for unclear segfault in ReadDCMImage
https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d
Git commit / fix These issues were fixed in versions 7.0.1-7 and
6.9.4-5.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ