Red Hat Bugzilla – Bug 217900
ImageMagick PNG handling routine buffer verflow
Last modified: 2008-04-26 03:47:06 EDT
+++ This bug was initially created as a clone of Bug #217898 +++
Description of problem:
Quoting the post from ImageMagick forum, that disappeared (that's why I filled
Google cache in URL field):
> png_write_raw_profile uses strlen to measure buffer text.text. However,
> the buffer is not null terminated and FormatMagickString receives a wrong
> size. The result is occasional crash in a release build, and an assertion
> failure in a debug build (memory block watermark checking). Here is how I
> fixed the problem:
The patch was commited to upstream versioning system, and is attached to this bug.
Version-Release number of selected component (if applicable):
Only theese contain the flawed code:
No reproducer yet.
-- Additional comment from email@example.com on 2006-11-30 12:50 EST --
Created an attachment (id=142497)
Upstream patch for ImageMagick's PNG buffer overflow issue
I'm removing the security keyword from this flaw. It does not pose a security
threat. It will only result in an ImageMagick crash.
The flaw boils down to this code:
unsigned int length = 1;
a = malloc(length);
sprintf(a, "%8lu", length);
the "length" value, which is provided from the png, must be an integer less than
8 to overflow the buffer. This means that the resulting buffer is overflows by
space characters, followed by an single integer character.
Not insisting on fixing, since not Security, leaving open though. Feel free to
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we are following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Short intro: I'm a new co-maintainer of ImageMagick and as such walking through
all open bugs.
This bug is fixed in F-7 and newer closing.