Date: Tue, 14 Jun 2016 13:53:28 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Various invalid memory reads in ImageMagick (WPG, DDS, DCM) https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html Further fuzzing of ImageMagick uncovered some more issues. An out of bounds memory read in the VerticalFilter() function can be triggered by a malformed DDS file. https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-VerticalFilter.dds Sample file https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b Git commit / fix This was fixed in versions 7.0.1-4 and 6.9.4-3. Several bugs in the WPG parser could lead to a heap overflow and random invalid memory writes. These bugs only seem to appear when a memory limit is set. https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg Sample for heap write overflow in SetPixelIndex https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg Sample for unclear invalid write in ScaleCharToQuantum https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg Sample for unclear invalid write in SetPixelIndex https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 Git commit / fix 1 https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f Git commit / fix 2 These issues were fixed in versions 7.0.1-4 and 6.9.4-3. Null pointer accesses and unclear segfaults can happen in the DCM parser. https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3220.dcm Sample for null pointer access in ReadDCMImage https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3240.dcm Sample for null pointer access in ReadDCMImage (different code) https://crashes.fuzzing-project.org/imagemagick-segv-ReadDCMImage-3968.dcm Sample for unclear segfault in ReadDCMImage https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d Git commit / fix These issues were fixed in versions 7.0.1-7 and 6.9.4-5. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ