Bug 245195

Summary: Out-of-bound write in Imagemagick's PICT coder
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414370
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-22 15:28:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Reproducer for ImageMagick PICT coder out-of-bound write none

Description Lubomir Kundrak 2007-06-21 15:56:05 UTC 
Description of problem:

ImageMagick crashes with evidence of memory corruption of heap memory after
attempt to open a fuzzed PICT picture.

Version-Release number of selected component (if applicable):

ImageMagick-6.2.8.0-4.fc6

How reproducible:

Steps to Reproduce:
$ gdb display
(gdb) run broken3.pict 
  
Actual results:

[Thread debugging using libthread_db enabled]
[New Thread 46912507440048 (LWP 29756)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912507440048 (LWP 29756)]
0x00002aaaaabc5cd5 in CopyMagickMemory (destination=0x666000,
source=0x2aaaab7823a0, size=8) at magick/memory.c:405
405         return(memcpy(destination,source,size));
(gdb) print *(char *)source
$15 = 0 '\0'
(gdb) print *(char *)destination
Cannot access memory at address 0x666000
(gdb)

Additional info:


(gdb) up
#1  0x00002aaaab57bdc1 in DecodeImage (image_info=0x61f350, blob=0x62dbf0,
image=0x637d10, bytes_per_line=203, bits_per_pixel=1) at coders/pict.c:524
524                 (void) CopyMagickMemory(q,p,number_pixels);
(gdb) print pixels
$16 = (unsigned char *) 0x63d140 ""
(gdb)

Here q can point beyond what's allocated to pixels[] array.
No idea how is that user controllable though, assuming ability to execute
arbitrary code.
Comment 1 Lubomir Kundrak 2007-06-21 15:56:05 UTC 
Created attachment 157552 [details]
Reproducer for ImageMagick PICT coder out-of-bound write
Comment 3 Red Hat Bugzilla 2009-10-23 19:03:54 UTC 
Reporter changed to security-response-team by request of Jay Turner.
Comment 4 Josh Bressers 2010-03-22 15:28:09 UTC 
I'm closing this due to its age.