Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 13:53:28 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)

https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html

Further fuzzing of ImageMagick uncovered some more issues.

An out of bounds memory read in the VerticalFilter() function can be
triggered by a malformed DDS file.
https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-VerticalFilter.dds
Sample file
https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b
Git commit / fix This was fixed in versions 7.0.1-4 and 6.9.4-3.

Several bugs in the WPG parser could lead to a heap overflow and random
invalid memory writes. These bugs only seem to appear when a memory
limit is set.
https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg
Sample for heap write overflow in SetPixelIndex
https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg
Sample for unclear invalid write in ScaleCharToQuantum
https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg
Sample for unclear invalid write in SetPixelIndex
https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
Git commit / fix 1
https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f
Git commit / fix 2 These issues were fixed in versions 7.0.1-4 and
6.9.4-3.

Null pointer accesses and unclear segfaults can happen in the DCM
parser.
https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3220.dcm
Sample for null pointer access in ReadDCMImage
https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3240.dcm
Sample for null pointer access in ReadDCMImage (different code)
https://crashes.fuzzing-project.org/imagemagick-segv-ReadDCMImage-3968.dcm
Sample for unclear segfault in ReadDCMImage
https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d
Git commit / fix These issues were fixed in versions 7.0.1-7 and
6.9.4-5.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.