Bug 245179 - Heap corruption in Imagemagick's PCX coder
Heap corruption in Imagemagick's PCX coder
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-21 10:25 EDT by Red Hat Product Security
Modified: 2010-03-22 11:27 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-22 11:27:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Reproducer for ImageMagick PCX coder heap corruption (89.39 KB, application/octet-stream)
2007-06-21 10:25 EDT, Lubomir Kundrak
no flags Details
Fix for the ImageMagick PCX coder heap overflow (700 bytes, patch)
2007-06-21 10:27 EDT, Lubomir Kundrak
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2007-06-21 10:25:06 EDT
Description of problem:

ImageMagick crashes with evidence of memory corruption of heap memory after
attempt to open a fuzzed PCX picture.

Version-Release number of selected component (if applicable):

ImageMagick-6.2.8.0-4.fc6

How reproducible:

Always.

Steps to Reproduce:

$ gdb display
(gdb) run broken.pcx

Actual Results

[Thread debugging using libthread_db enabled]
[New Thread 46912507440048 (LWP 29371)]
[Switching to Thread 46912507440048 (LWP 29371)]

*** glibc detected *** /usr/bin/display: malloc(): memory corruption:
0x0000000000625b10 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3a95c6f0e4]
/lib64/libc.so.6(__libc_malloc+0x7d)[0x3a95c7086d]
/usr/lib64/libMagick.so.10(AcquireMagickMemory+0x2e)[0x2aaaaabc5c16]
/usr/lib64/libMagick.so.10(NewLinkedList+0x16)[0x2aaaaabac12e]
/usr/lib64/libMagick.so.10(GetExceptionInfo+0x59)[0x2aaaaab99932]
/usr/lib64/libMagick.so.10(GetLocaleMessage+0x46)[0x2aaaaabbee00]
/usr/lib64/libMagick.so.10(GetLocaleExceptionMessage+0x82)[0x2aaaaab99dba]
/usr/lib64/libMagick.so.10(ThrowMagickExceptionList+0xa4)[0x2aaaaab9a2f4]
/usr/lib64/libMagick.so.10(ThrowMagickException+0x120)[0x2aaaaab9a506]
/usr/lib64/libMagick.so.10[0x2aaaaabb920c]
/usr/lib64/libMagick.so.10(SyncImage+0x124)[0x2aaaaabb90e3]
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/pcx.so[0x2aaaab57ab76]
/usr/lib64/libMagick.so.10(ReadImage+0x370)[0x2aaaaab3bfa1]
/usr/lib64/libWand.so.10(DisplayImageCommand+0x13d5)[0x2aaaaaf4f0a3]
/usr/bin/display[0x400c2a]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3a95c1da44]
/usr/bin/display[0x400a19]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fd:00 13936173                          
/usr/bin/display
00601000-00602000 rw-p 00001000 fd:00 13936173                          
/usr/bin/display
00602000-0066f000 rw-p 00602000 00:00 0                                  [heap]
3267000000-326700f000 r-xp 00000000 fd:00 13939823                      
/usr/lib64/libbz2.so.1.0.3
326700f000-326720e000 ---p 0000f000 fd:00 13939823                      
/usr/lib64/libbz2.so.1.0.3
326720e000-3267210000 rw-p 0000e000 fd:00 13939823                      
/usr/lib64/libbz2.so.1.0.3
3288c00000-3288c2b000 r-xp 00000000 fd:00 13952546                      
/usr/lib64/libjpeg.so.62.0.0
3288c2b000-3288e2b000 ---p 0002b000 fd:00 13952546                      
/usr/lib64/libjpeg.so.62.0.0
3288e2b000-3288e2c000 rw-p 0002b000 fd:00 13952546                      
/usr/lib64/libjpeg.so.62.0.0
328c400000-328c457000 r-xp 00000000 fd:00 13933060                      
/usr/lib64/libtiff.so.3.8.2
328c457000-328c656000 ---p 00057000 fd:00 13933060                      
/usr/lib64/libtiff.so.3.8.2
328c656000-328c659000 rw-p 00056000 fd:00 13933060                      
/usr/lib64/libtiff.so.3.8.2
3804600000-3804704000 r-xp 00000000 fd:00 13927188                      
/usr/lib64/libX11.so.6.2.0
3804704000-3804904000 ---p 00104000 fd:00 13927188                      
/usr/lib64/libX11.so.6.2.0
3804904000-380490b000 rw-p 00104000 fd:00 13927188                      
/usr/lib64/libX11.so.6.2.0
3804a00000-3804a10000 r-xp 00000000 fd:00 13938591                      
/usr/lib64/libXext.so.6.4.0
3804a10000-3804c10000 ---p 00010000 fd:00 13938591                      
/usr/lib64/libXext.so.6.4.0
3804c10000-3804c11000 rw-p 00010000 fd:00 13938591                      
/usr/lib64/libXext.so.6.4.0
3a95800000-3a9581a000 r-xp 00000000 fd:00 1409429                       
/lib64/ld-2.5.so
3a95a19000-3a95a1a000 r--p 00019000 fd:00 1409429                       
/lib64/ld-2.5.so
3a95a1a000-3a95a1b000 rw-p 0001a000 fd:00 1409429                       
/lib64/ld-2.5.so
3a95c00000-3a95d44000 r-xp 00000000 fd:00 1409618                       
/lib64/libc-2.5.so
3a95d44000-3a95f44000 ---p 00144000 fd:00 1409618                       
/lib64/libc-2.5.so
3a95f44000-3a95f48000 r--p 00144000 fd:00 1409618                       
/lib64/libc-2.5.so
3a95f48000-3a95f49000 rw-p 00148000 fd:00 1409618                       
/lib64/libc-2.5.so
3a95f49000-3a95f4e000 rw-p 3a95f49000 00:00 0 
3a96000000-3a96082000 r-xp 00000000 fd:00 1409620                       
/lib64/libm-2.5.so
3a96082000-3a96281000 ---p 00082000 fd:00 1409620                       
/lib64/libm-2.5.so
3a96281000-3a96282000 r--p 00081000 fd:00 1409620                       
/lib64/libm-2.5.so
3a96282000-3a96283000 rw-p 00082000 fd:00 1409620                       
/lib64/libm-2.5.so
3a96400000-3a96403000 r-xp 00000000 fd:00 1409621                       
/lib64/libdl-2.5.so
3a96403000-3a96602000 ---p 00003000 fd:00 1409621                       
/lib64/libdl-2.5.so
3a96602000-3a96603000 r--p 00002000 fd:00 1409621                       
/lib64/libdl-2.5.so
3a96603000-3a96604000 rw-p 00003000 fd:00 1409621                       
/lib64/libdl-2.5.so
3a96800000-3a96815000 r-xp 00000000 fd:00 1409906                       
/lib64/libpthread-2.5.so
3a96815000-3a96a14000 ---p 00015000 fd:00 1409906                       
/lib64/libpthread-2.5.so
3a96a14000-3a96a15000 r--p 00014000 fd:00 1409906                       
/lib64/libpthread-2.5.so
3a96a15000-3a96a16000 rw-p 00015000 fd:00 1409906                       
/lib64/libpthread-2.5.so
3a96a16000-3a96a1a000 rw-p 3a96a16000 00:00 0 
3a96c00000-3a96c02000 r-xp 00000000 fd:00 23494807                      
/usr/lib64/libXau.so.6.0.0
3a96c02000-3a96e01000 ---p 00002000 fd:00 23494807                      
/usr/lib64/libXau.so.6.0.0
3a96e01000-3a96e02000 rw-p 00001000 fd:00 23494807                      
/usr/lib64/libXau.so.6.0.0
3a97000000-3a97005000 r-xp 00000000 fd:00 23494808                      
/usr/lib64/libXdmcp.so.6.0.0
3a97005000-3a97204000 ---p 00005000 fd:00 23494808                      
/usr/lib64/libXdmcp.so.6.0.0
3a97204000-3a97205000 rw-p 00004000 fd:00 23494808                      
/usr/lib64/libXdmcp.so.6.0.0
3a97800000-3a97814000 r-xp 00000000 fd:00 13955127                      
/usr/lib64/libz.so.1.2.3
3a97814000-3a97a13000 ---p 00014000 fd:00 13955127                      
/usr/lib64/libz.so.1.2.3
3a97a13000-3a97a14000 rw-p 00013000 fd:00 13955127                      
/usr/lib64/libz.so.1.2.3
3a98800000-3a9887f000 r-xp 00000000 fd:00 23494804                      
/usr/lib64/libfreetype.so.6.3.10
3a9887f000-3a98a7f000 ---p 0007f000 fd:00 23494804                      
/usr/lib64/libfreetype.so.6.3.10
3a98a7f000-3a98a84000 rw-p 0007f000 fd:00 23494804                      
/usr/lib64/libfreetype.so.6.3.10
3a98c00000-3a98c20000 r-xp 00000000 fd:00 1409619                       
/lib64/libexpat.so.0.5.0
3a98c20000-3a98e1f000 ---p 00020000 fd:00 1409619                       
/lib64/libexpat.so.0.5.0
3a98e1f000-3a98e22000 rw-p 0001f000 fd:00 1409619                       
/lib64/libexpat.so.0.5.0
3a99400000-3a99429000 r-xp 00000000 fd:00 23494805                      
/usr/lib64/libfontconfig.so.1.1.0
3a99429000-3a99629000 ---p 00029000 fd:00 23494805                      
/usr/lib64/libfontconfig.so.1.1.0
3a99629000-3a99633000 rw-p 00029000 fd:00 23494805                      
/usr/lib64/libfontconfig.so.1.1.0
3a99633000-3a99634000 rw-p 3a99633000 00:00 0 
3a9b000000-3a9b00d000 r-xp 00000000 fd:00 1409622                       
/lib64/libgcc_s-4.1.1-20070105.so.1
3a9b00d000-3a9b20c000 ---p 0000d000 fd:00 1409622                       
/lib64/libgcc_s-4.1.1-20070105.so.1
3a9b20c000-3a9b20d000 rw-p 0000c000 fd:00 1409622                       
/lib64/libgcc_s-4.1.1-20070105.so.1
3a9fe00000-3a9fe30000 r-xp 00000000 fd:00 13955130                      
/usr/lib64/liblcms.so.1.0.15
3a9fe30000-3aa0030000 ---p 00030000 fd:00 13955130                      
/usr/lib64/liblcms.so.1.0.15
3aa0030000-3aa0032000 rw-p 00030000 fd:00 13955130                      
/usr/lib64/liblcms.so.1.0.15
3aa0032000-3aa0034000 rw-p 3aa0032000 00:00 0 
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaacd000-2aaaaaace000 rw-p 2aaaaaacd000 00:00 0 
2aaaaaace000-2aaaaac9d000 r-xp 00000000 fd:00 13936512                  
/usr/lib64/libMagick.so.10.0.3
2aaaaac9d000-2aaaaae9d000 ---p 001cf000 fd:00 13936512                  
/usr/lib64/libMagick.so.10.0.3
2aaaaae9d000-2aaaaaeea000 rw-p 001cf000 fd:00 13936512                  
/usr/lib64/libMagick.so.10.0.3
2aaaaaeea000-2aaaaaf02000 rw-p 2aaaaaeea000 00:00 0 
2aaaaaf02000-2aaaaafe8000 r-xp 00000000 fd:00 13936518                  
/usr/lib64/libWand.so.10.0.3
2aaaaafe8000-2aaaab1e8000 ---p 000e6000 fd:00 13936518                  
/usr/lib64/libWand.so.10.0.3
2aaaab1e8000-2aaaab1eb000 rw-p 000e6000 fd:00 13936518                  
/usr/lib64/libWand.so.10.0.3
2aaaab1eb000-2aaaab1ed000 rw-p 2aaaab1eb000 00:00 0 
2aaaab1ed000-2aaaab240000 r-xp 00000000 fd:00 29819317                  
/opt/win4linpro/lib/sys/libXt.so.6
2aaaab240000-2aaaab340000 ---p 00053000 fd:00 29819317                  
/opt/win4linpro/lib/sys/libXt.so.6
2aaaab340000-2aaaab34d000 rw-p 00053000 fd:00 29819317                  
/opt/win4linpro/lib/sys/libXt.so.6
2aaaab34d000-2aaaab350000 rw-p 2aaaab34d000 00:00 0 
2aaaab350000-2aaaab359000 r-xp 00000000 fd:00 29819313                  
/opt/win4linpro/lib/sys/libSM.so.6
2aaaab359000-2aaaab458000 ---p 00009000 fd:00 29819313                  
/opt/win4linpro/lib/sys/libSM.so.6
Program received signal SIGABRT, Aborted.
0x0000003a95c301b5 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x0000003a95c301b5 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003a95c31b20 in *__GI_abort () at abort.c:88
#2  0x0000003a95c6766b in __libc_message (do_abort=2, fmt=0x3a95d19be8 "***
glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003a95c6f0e4 in _int_malloc (av=0x3a95f49980, bytes=64) at malloc.c:5758
#4  0x0000003a95c7086d in *__GI___libc_malloc (bytes=64) at malloc.c:3468
#5  0x00002aaaaabc5c16 in AcquireMagickMemory (size=64) at magick/memory.c:321
#6  0x00002aaaaabac12e in NewLinkedList (capacity=0) at magick/hashmap.c:1408
#7  0x00002aaaaab99932 in GetExceptionInfo (exception=0x7fff0b0010e0) at
magick/exception.c:428
#8  0x00002aaaaabbee00 in GetLocaleMessage (tag=0x7fff0b002160
"Exception/Corrupt/Image/Error/InvalidColormapIndex") at magick/locale.c:433
#9  0x00002aaaaab99dba in GetLocaleExceptionMessage (severity=CorruptImageError,
tag=0x2aaaaac7dbc7 "InvalidColormapIndex") at magick/exception.c:565
#10 0x00002aaaaab9a2f4 in ThrowMagickExceptionList (exception=0x630e68,
module=0x2aaaaac7dbdc "./magick/color-private.h", 
    function=0x2aaaaac7dbb0 "ConstrainColormapIndex", line=46,
severity=CorruptImageError, tag=0x2aaaaac7dbc7 "InvalidColormapIndex", 
    format=0x2aaaaac7d140 "`%s'", operands=0x7fff0b004240) at magick/exception.c:962
#11 0x00002aaaaab9a506 in ThrowMagickException (exception=0x630e68,
module=0x2aaaaac7dbdc "./magick/color-private.h", 
    function=0x2aaaaac7dbb0 "ConstrainColormapIndex", line=46,
severity=CorruptImageError, tag=0x2aaaaac7dbc7 "InvalidColormapIndex", 
    format=0x2aaaaac7d140 "`%s'") at magick/exception.c:989
#12 0x00002aaaaabb920c in ConstrainColormapIndex (image=0x62dbf0, index=4) at
magick/color-private.h:46
#13 0x00002aaaaabb90e3 in SyncImage (image=0x62dbf0) at magick/image.c:3420
#14 0x00002aaaab57ab76 in ReadPCXImage (image_info=0x61f350,
exception=0x7fff0b009b90) at coders/pcx.c:595
#15 0x00002aaaaab3bfa1 in ReadImage (image_info=0x61a1b0,
exception=0x7fff0b009b90) at magick/constitute.c:389
#16 0x00002aaaaaf4f0a3 in DisplayImageCommand (image_info=0x61a1b0, argc=2,
argv=0x6068b0, wand_unused_metadata=0x0, exception=0x7fff0b009b90)
    at wand/display.c:498
#17 0x0000000000400c2a in main (argc=2, argv=0x7fff0b009cc8) at
utilities/display.c:132
#18 0x0000003a95c1da44 in __libc_start_main (main=0x400aa8 <main>, argc=2,
ubp_av=0x7fff0b009cc8, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fff0b009cb8) at libc-start.c:231
#19 0x0000000000400a19 in _start ()
(gdb) 

Additional info:

I assume that arbitrary code execution is possible, unless proven otherwise.
See the debian bug report referred to in URL for more information.
Comment 1 Lubomir Kundrak 2007-06-21 10:25:06 EDT
Created attachment 157538 [details]
Reproducer for ImageMagick PCX coder heap corruption
Comment 2 Lubomir Kundrak 2007-06-21 10:27:34 EDT
Created attachment 157539 [details]
Fix for the ImageMagick PCX coder heap overflow

This one was taken from Debian.
Comment 4 Red Hat Bugzilla 2009-10-23 15:03:44 EDT
Reporter changed to security-response-team@redhat.com by request of Jay Turner.
Comment 5 Josh Bressers 2010-03-22 11:27:24 EDT
I'm closing this due to its age.

Note You need to log in before you can comment on or make changes to this bug.