Date: Tue, 14 Jun 2016 13:53:28 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Various invalid memory reads in ImageMagick (WPG, DDS, DCM) https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html Further fuzzing of ImageMagick uncovered some more issues. An out of bounds memory read in the VerticalFilter() function can be triggered by a malformed DDS file. https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-VerticalFilter.dds Sample file https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b Git commit / fix This was fixed in versions 7.0.1-4 and 6.9.4-3. Several bugs in the WPG parser could lead to a heap overflow and random invalid memory writes. These bugs only seem to appear when a memory limit is set. https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg Sample for heap write overflow in SetPixelIndex https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg Sample for unclear invalid write in ScaleCharToQuantum https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg Sample for unclear invalid write in SetPixelIndex https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 Git commit / fix 1 https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f Git commit / fix 2 These issues were fixed in versions 7.0.1-4 and 6.9.4-3. Null pointer accesses and unclear segfaults can happen in the DCM parser. https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3220.dcm Sample for null pointer access in ReadDCMImage https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3240.dcm Sample for null pointer access in ReadDCMImage (different code) https://crashes.fuzzing-project.org/imagemagick-segv-ReadDCMImage-3968.dcm Sample for unclear segfault in ReadDCMImage https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d Git commit / fix These issues were fixed in versions 7.0.1-7 and 6.9.4-5. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.