Bug 245195 - Out-of-bound write in Imagemagick's PICT coder
Out-of-bound write in Imagemagick's PICT coder
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-21 11:56 EDT by Red Hat Product Security
Modified: 2010-03-22 11:28 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-22 11:28:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Reproducer for ImageMagick PICT coder out-of-bound write (22.36 KB, application/octet-stream)
2007-06-21 11:56 EDT, Lubomir Kundrak
no flags Details

  None (edit)
Description Lubomir Kundrak 2007-06-21 11:56:05 EDT
Description of problem:

ImageMagick crashes with evidence of memory corruption of heap memory after
attempt to open a fuzzed PICT picture.

Version-Release number of selected component (if applicable):

ImageMagick-6.2.8.0-4.fc6

How reproducible:

Steps to Reproduce:
$ gdb display
(gdb) run broken3.pict 
  
Actual results:

[Thread debugging using libthread_db enabled]
[New Thread 46912507440048 (LWP 29756)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912507440048 (LWP 29756)]
0x00002aaaaabc5cd5 in CopyMagickMemory (destination=0x666000,
source=0x2aaaab7823a0, size=8) at magick/memory.c:405
405         return(memcpy(destination,source,size));
(gdb) print *(char *)source
$15 = 0 '\0'
(gdb) print *(char *)destination
Cannot access memory at address 0x666000
(gdb)

Additional info:


(gdb) up
#1  0x00002aaaab57bdc1 in DecodeImage (image_info=0x61f350, blob=0x62dbf0,
image=0x637d10, bytes_per_line=203, bits_per_pixel=1) at coders/pict.c:524
524                 (void) CopyMagickMemory(q,p,number_pixels);
(gdb) print pixels
$16 = (unsigned char *) 0x63d140 ""
(gdb)

Here q can point beyond what's allocated to pixels[] array.
No idea how is that user controllable though, assuming ability to execute
arbitrary code.
Comment 1 Lubomir Kundrak 2007-06-21 11:56:05 EDT
Created attachment 157552 [details]
Reproducer for ImageMagick PICT coder out-of-bound write
Comment 3 Red Hat Bugzilla 2009-10-23 15:03:54 EDT
Reporter changed to security-response-team@redhat.com by request of Jay Turner.
Comment 4 Josh Bressers 2010-03-22 11:28:09 EDT
I'm closing this due to its age.

Note You need to log in before you can comment on or make changes to this bug.