Description of problem: ImageMagick crashes with evidence of memory corruption of heap memory after attempt to open a fuzzed PICT picture. Version-Release number of selected component (if applicable): ImageMagick-6.2.8.0-4.fc6 How reproducible: Steps to Reproduce: $ gdb display (gdb) run broken3.pict Actual results: [Thread debugging using libthread_db enabled] [New Thread 46912507440048 (LWP 29756)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 46912507440048 (LWP 29756)] 0x00002aaaaabc5cd5 in CopyMagickMemory (destination=0x666000, source=0x2aaaab7823a0, size=8) at magick/memory.c:405 405 return(memcpy(destination,source,size)); (gdb) print *(char *)source $15 = 0 '\0' (gdb) print *(char *)destination Cannot access memory at address 0x666000 (gdb) Additional info: (gdb) up #1 0x00002aaaab57bdc1 in DecodeImage (image_info=0x61f350, blob=0x62dbf0, image=0x637d10, bytes_per_line=203, bits_per_pixel=1) at coders/pict.c:524 524 (void) CopyMagickMemory(q,p,number_pixels); (gdb) print pixels $16 = (unsigned char *) 0x63d140 "" (gdb) Here q can point beyond what's allocated to pixels[] array. No idea how is that user controllable though, assuming ability to execute arbitrary code.
Created attachment 157552 [details] Reproducer for ImageMagick PICT coder out-of-bound write
Reporter changed to security-response-team by request of Jay Turner.
I'm closing this due to its age.