Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 08 Oct 2016 22:21:25 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: graphicsmagick: stack-based buffer overflow in ReadSCTImage (sct.c)

Description:
Graphicsmagick is an Image Processing System.

After the first round of fuzzing where I discovered some slowness issues that 
make the fuzz hard, the second round revealed a stack-buffer-overflow.

The complete ASan output:

# gm identify $FILE
==23362==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffaab3b8e0 at pc 0x000000453e36 bp 0x7fffaab3b570 sp 0x7fffaab3ad20
READ of size 769 at 0x7fffaab3b8e0 thread T0
    #0 0x453e35 in StrtolFixAndCheck /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2596
    #1 0x4545c1 in __interceptor_strtol /var/tmp/portage/sys-devel/llvm-3.8.1-
r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:633
    #2 0x7f73e9a847df in ReadSCTImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sct.c:191:19
    #3 0x7f73f473eb13 in ReadImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1607:13
    #4 0x7f73f473ca94 in PingImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/constitute.c:1370:9
    #5 0x7f73f4651b25 in IdentifyImageCommand /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8375:17
    #6 0x7f73f465797c in MagickCommand /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:8865:17
    #7 0x7f73f46cf6fe in GMCommandSingle /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17379:10
    #8 0x7f73f46cd926 in GMCommand /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/magick/command.c:17432:16
    #9 0x7f73f352a61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x418c88 in _init (/usr/bin/gm+0x418c88)

Address 0x7fffaab3b8e0 is located in stack of thread T0 at offset 800 in frame
    #0 0x7f73e9a8399f in ReadSCTImage /var/tmp/portage/media-
gfx/graphicsmagick-1.3.25/work/GraphicsMagick-1.3.25/coders/sct.c:126

  This frame has 2 object(s):
    [32, 800) 'buffer'
    [928, 930) 'magick' 0x10007555f710: 00 00 00 00 00 00 00 00 00 00 00 
00[f2]f2 f2 f2
  0x10007555f720: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 02 f3 f3 f3
  0x10007555f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007555f740: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 f2
  0x10007555f750: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007555f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23362==ABORTING

Affected version:
1.3.25

Fixed version:
1.3.26 ( not yet released)

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/0a0dfa81906d

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-09-09: bug discovered
2016-09-09: bug reported privately to upstream
2016-09-10: no upstream response
2016-09-15: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.