Bug 217900 - ImageMagick PNG handling routine buffer verflow
ImageMagick PNG handling routine buffer verflow
Product: Fedora
Classification: Fedora
Component: ImageMagick (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Norm Murray
Depends On: 217898
  Show dependency treegraph
Reported: 2006-11-30 12:55 EST by Lubomir Kundrak
Modified: 2008-04-26 03:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-26 03:47:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2006-11-30 12:55:48 EST
+++ This bug was initially created as a clone of Bug #217898 +++

Description of problem:

Quoting the post from ImageMagick forum, that disappeared (that's why I filled
Google cache in URL field):

> png_write_raw_profile uses strlen to measure buffer text[0].text. However,
> the buffer is not null terminated and FormatMagickString receives a wrong
> size.  The result is occasional crash in a release build, and an assertion
> failure in a debug build (memory block watermark checking).  Here is how I
> fixed the problem:

The patch was commited to upstream versioning system, and is attached to this bug.

Version-Release number of selected component (if applicable):

Only theese contain the flawed code:

How reproducible:

No reproducer yet.

-- Additional comment from lkundrak@redhat.com on 2006-11-30 12:50 EST --
Created an attachment (id=142497)
Upstream patch for ImageMagick's PNG buffer overflow issue
Comment 1 Josh Bressers 2007-01-16 14:55:08 EST
I'm removing the security keyword from this flaw.  It does not pose a security
threat.  It will only result in an ImageMagick crash.

The flaw boils down to this code:

    unsigned int length = 1;
    char *a;
    a = malloc(length);
    sprintf(a, "%8lu", length);

the "length" value, which is provided from the png, must be an integer less than
8 to overflow the buffer.  This means that the resulting buffer is overflows by
space characters, followed by an single integer character.
Comment 2 Lubomir Kundrak 2007-09-21 07:04:36 EDT
Not insisting on fixing, since not Security, leaving open though. Feel free to
Comment 3 Bug Zapper 2008-04-04 01:01:35 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 4 Hans de Goede 2008-04-26 03:47:06 EDT
Short intro: I'm a new co-maintainer of ImageMagick and as such walking through
all open bugs.

This bug is fixed in F-7 and newer closing.

Note You need to log in before you can comment on or make changes to this bug.