Bug 217898 - ImageMagick PNG handling routine buffer verflow
ImageMagick PNG handling routine buffer verflow
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ImageMagick (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Norm Murray
Depends On:
Blocks: 217900
  Show dependency treegraph
Reported: 2006-11-30 12:50 EST by Lubomir Kundrak
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-07 20:07:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch for ImageMagick's PNG buffer overflow issue (528 bytes, patch)
2006-11-30 12:50 EST, Lubomir Kundrak
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2006-11-30 12:50:32 EST
Description of problem:

Quoting the post from ImageMagick forum, that disappeared (that's why I filled
Google cache in URL field):

> png_write_raw_profile uses strlen to measure buffer text[0].text. However,
> the buffer is not null terminated and FormatMagickString receives a wrong
> size.  The result is occasional crash in a release build, and an assertion
> failure in a debug build (memory block watermark checking).  Here is how I
> fixed the problem:

The patch was commited to upstream versioning system, and is attached to this bug.

Version-Release number of selected component (if applicable):

Only theese contain the flawed code:

How reproducible:

No reproducer yet.
Comment 1 Lubomir Kundrak 2006-11-30 12:50:32 EST
Created attachment 142497 [details]
Upstream patch for ImageMagick's PNG buffer overflow issue
Comment 2 Norm Murray 2006-12-13 01:51:07 EST
Fixed up the patch (an extra ) in it) and doing test build. 
Comment 5 Jay Turner 2006-12-14 08:24:16 EST
QE ack for RHEL5.
Comment 6 Josh Bressers 2007-01-16 14:54:05 EST
I'm removing the security keyword from this flaw.  It does not pose a security
threat.  It will only result in an ImageMagick crash.

The flaw boils down to this code:

    unsigned int length = 1;
    char *a;
    a = malloc(length);
    sprintf(a, "%8lu", length);

the "length" value, which is provided from the png, must be an integer less than
8 to overflow the buffer.  This means that the resulting buffer is overflows by
space characters, followed by an single integer character.
Comment 7 Norm Murray 2007-01-17 10:13:39 EST
Included into
Comment 8 RHEL Product and Program Management 2007-02-07 20:07:32 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.