Red Hat Bugzilla – Bug 245195
Out-of-bound write in Imagemagick's PICT coder
Last modified: 2010-03-22 11:28:09 EDT
Description of problem:
ImageMagick crashes with evidence of memory corruption of heap memory after
attempt to open a fuzzed PICT picture.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
$ gdb display
(gdb) run broken3.pict
[Thread debugging using libthread_db enabled]
[New Thread 46912507440048 (LWP 29756)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912507440048 (LWP 29756)]
0x00002aaaaabc5cd5 in CopyMagickMemory (destination=0x666000,
source=0x2aaaab7823a0, size=8) at magick/memory.c:405
(gdb) print *(char *)source
$15 = 0 '\0'
(gdb) print *(char *)destination
Cannot access memory at address 0x666000
#1 0x00002aaaab57bdc1 in DecodeImage (image_info=0x61f350, blob=0x62dbf0,
image=0x637d10, bytes_per_line=203, bits_per_pixel=1) at coders/pict.c:524
524 (void) CopyMagickMemory(q,p,number_pixels);
(gdb) print pixels
$16 = (unsigned char *) 0x63d140 ""
Here q can point beyond what's allocated to pixels array.
No idea how is that user controllable though, assuming ability to execute
Created attachment 157552 [details]
Reproducer for ImageMagick PICT coder out-of-bound write
Reporter changed to email@example.com by request of Jay Turner.
I'm closing this due to its age.