Bug 217898

Summary: ImageMagick PNG handling routine buffer verflow
Product: Red Hat Enterprise Linux 5 Reporter: Lubomir Kundrak <lkundrak>
Component: ImageMagickAssignee: Norm Murray <nmurray>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://216.239.51.104/search?q=cache:imXrr2JFkEQJ:www.imagemagick.org/discussion-server/viewtopic.php%3Fp%3D23661%26sid%3Dde3acb90131039ab3c0a858665f4fd7f
Whiteboard: public=20061110,source=imagemagick,impact=?,reported=20061130
Fixed In Version: RC Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-08 01:07:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 217900    
Attachments:
Description Flags
Upstream patch for ImageMagick's PNG buffer overflow issue none

Description Lubomir Kundrak 2006-11-30 17:50:32 UTC
Description of problem:

Quoting the post from ImageMagick forum, that disappeared (that's why I filled
Google cache in URL field):

> png_write_raw_profile uses strlen to measure buffer text[0].text. However,
> the buffer is not null terminated and FormatMagickString receives a wrong
> size.  The result is occasional crash in a release build, and an assertion
> failure in a debug build (memory block watermark checking).  Here is how I
> fixed the problem:

The patch was commited to upstream versioning system, and is attached to this bug.

Version-Release number of selected component (if applicable):

Only theese contain the flawed code:
RHEL5   6.2.8.0
FC5     6.2.5.4
FC6     6.2.8.0

How reproducible:

No reproducer yet.

Comment 1 Lubomir Kundrak 2006-11-30 17:50:32 UTC
Created attachment 142497 [details]
Upstream patch for ImageMagick's PNG buffer overflow issue

Comment 2 Norm Murray 2006-12-13 06:51:07 UTC
Fixed up the patch (an extra ) in it) and doing test build. 

Comment 5 Jay Turner 2006-12-14 13:24:16 UTC
QE ack for RHEL5.

Comment 6 Josh Bressers 2007-01-16 19:54:05 UTC
I'm removing the security keyword from this flaw.  It does not pose a security
threat.  It will only result in an ImageMagick crash.

The flaw boils down to this code:

    unsigned int length = 1;
    char *a;
    a = malloc(length);
    sprintf(a, "%8lu", length);
    puts(a);

the "length" value, which is provided from the png, must be an integer less than
8 to overflow the buffer.  This means that the resulting buffer is overflows by
space characters, followed by an single integer character.

Comment 7 Norm Murray 2007-01-17 15:13:39 UTC
Included into 6.2.8.0-3.el5.3

Comment 8 RHEL Program Management 2007-02-08 01:07:32 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.