Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 26 Sep 2016 05:17:41 +0000
From: pwchen(陈佩文) <>
To: oss-security <>
Subject: CVE-2016-6823 - ImageMagick BMP Coder Out-Of-Bounds Write


This is PwChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab.

During our research, we found an Out-Of-Bounds write vulnerability in
ImageMagick's BMP coders.

When ImageMagick is converting other format to BMP format, it will
pass image's height and width parameter into 'BMP coder'.

There is an arithmetic overflow vulnerability when the BMP coder is
calculating the image size by multiplying the height and width. This
can directly cause an Out-Of-Bounds Write.

The ImageMagick team has fixed the vulnerability we reported.

Attached is a proof of concept.

python -c 'print "P3\x0a14096\x201048576\x0a255\x00"' > PoC.ppm
convert PoC.ppm crash.bmp

Upstream fix:

Debian Bug report:

Peiwen Chen
Tencent's Xuanwu Lab

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.