Bug 245195 - Out-of-bound write in Imagemagick's PICT coder
Summary: Out-of-bound write in Imagemagick's PICT coder
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-21 15:56 UTC by Red Hat Product Security
Modified: 2010-03-22 15:28 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-22 15:28:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Reproducer for ImageMagick PICT coder out-of-bound write (22.36 KB, application/octet-stream)
2007-06-21 15:56 UTC, Lubomir Kundrak
no flags Details

Description Lubomir Kundrak 2007-06-21 15:56:05 UTC
Description of problem:

ImageMagick crashes with evidence of memory corruption of heap memory after
attempt to open a fuzzed PICT picture.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
$ gdb display
(gdb) run broken3.pict 
Actual results:

[Thread debugging using libthread_db enabled]
[New Thread 46912507440048 (LWP 29756)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912507440048 (LWP 29756)]
0x00002aaaaabc5cd5 in CopyMagickMemory (destination=0x666000,
source=0x2aaaab7823a0, size=8) at magick/memory.c:405
405         return(memcpy(destination,source,size));
(gdb) print *(char *)source
$15 = 0 '\0'
(gdb) print *(char *)destination
Cannot access memory at address 0x666000

Additional info:

(gdb) up
#1  0x00002aaaab57bdc1 in DecodeImage (image_info=0x61f350, blob=0x62dbf0,
image=0x637d10, bytes_per_line=203, bits_per_pixel=1) at coders/pict.c:524
524                 (void) CopyMagickMemory(q,p,number_pixels);
(gdb) print pixels
$16 = (unsigned char *) 0x63d140 ""

Here q can point beyond what's allocated to pixels[] array.
No idea how is that user controllable though, assuming ability to execute
arbitrary code.

Comment 1 Lubomir Kundrak 2007-06-21 15:56:05 UTC
Created attachment 157552 [details]
Reproducer for ImageMagick PICT coder out-of-bound write

Comment 3 Red Hat Bugzilla 2009-10-23 19:03:54 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Comment 4 Josh Bressers 2010-03-22 15:28:09 UTC
I'm closing this due to its age.

Note You need to log in before you can comment on or make changes to this bug.