Red Hat Bugzilla – Bug 217898
ImageMagick PNG handling routine buffer verflow
Last modified: 2007-11-30 17:07:38 EST
Description of problem:
Quoting the post from ImageMagick forum, that disappeared (that's why I filled
Google cache in URL field):
> png_write_raw_profile uses strlen to measure buffer text.text. However,
> the buffer is not null terminated and FormatMagickString receives a wrong
> size. The result is occasional crash in a release build, and an assertion
> failure in a debug build (memory block watermark checking). Here is how I
> fixed the problem:
The patch was commited to upstream versioning system, and is attached to this bug.
Version-Release number of selected component (if applicable):
Only theese contain the flawed code:
No reproducer yet.
Created attachment 142497 [details]
Upstream patch for ImageMagick's PNG buffer overflow issue
Fixed up the patch (an extra ) in it) and doing test build.
QE ack for RHEL5.
I'm removing the security keyword from this flaw. It does not pose a security
threat. It will only result in an ImageMagick crash.
The flaw boils down to this code:
unsigned int length = 1;
a = malloc(length);
sprintf(a, "%8lu", length);
the "length" value, which is provided from the png, must be an integer less than
8 to overflow the buffer. This means that the resulting buffer is overflows by
space characters, followed by an single integer character.
Included into 126.96.36.199-3.el5.3
A package has been built which should help the problem described in
this bug report. This report is therefore being closed with a resolution
of CURRENTRELEASE. You may reopen this bug report if the solution does
not work for you.