Bug 345371 - Crash in ImageMagick's VIFF coder
Crash in ImageMagick's VIFF coder
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Depends On:
  Show dependency treegraph
Reported: 2007-10-22 11:19 EDT by Lubomir Kundrak
Modified: 2007-12-05 10:32 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-05 10:32:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ImageMagic VIFF coder crasher 1 (91.40 KB, application/octet-stream)
2007-10-22 11:19 EDT, Lubomir Kundrak
no flags Details
ImageMagic VIFF coder crasher 2 (91.40 KB, application/octet-stream)
2007-10-22 11:20 EDT, Lubomir Kundrak
no flags Details

  None (edit)
Description Lubomir Kundrak 2007-10-22 11:19:43 EDT
ImageMagick crashes when load of corrupted VIFF image is attempted.

I am not cimpletly  sure about secuity impact because the results are dependent
on particular ImageMagick version. Though results of my test did not reveal any
obvious security impact, the original bug report demonstrates different results
and suggest that there is a possibly exploitable heap overflow.
Comment 1 Lubomir Kundrak 2007-10-22 11:19:43 EDT
Created attachment 234161 [details]
ImageMagic VIFF coder crasher 1
Comment 2 Lubomir Kundrak 2007-10-22 11:20:36 EDT
Created attachment 234171 [details]
ImageMagic VIFF coder crasher 2
Comment 3 Lubomir Kundrak 2007-10-22 11:22:31 EDT
RHEL-2.1: A NULL pointer dereference

bash-2.05# display segv.viff
Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208125760 (LWP 17537)]
ReadVIFFImage (image_info=0x9f76b28, exception=0xbff124f0) at viff.c:626
626                   indexes[x+bit]=(IndexPacket)
(gdb) print x+bit
$1 = 0
(gdb) print indexes
$2 = <value optimized out>
(gdb) print indexes[x+bit]
Cannot access memory at address 0x0
(gdb) bt
#0  ReadVIFFImage (image_info=0x9f76b28, exception=0xbff124f0) at viff.c:626
#1  0x0014669b in ReadImage (image_info=0x9f73a38, exception=0xbff124f0) at
#2  0x08049762 in main (argc=Cannot access memory at address 0x0
) at display.c:1355

RHEL-3: A warning

bash-2.05b# display segv.viff
display: Invalid colormap index (segv.viff).
<-- black windows pops up -->

RHEL-4: Another warning

bash-3.00# display segv.viff
display: pixel cache is not open `segv.viff'.
<-- black windows pops up -->

RHEL-5: ASSERT() fail

bash-3.1# display segv.viff
display: magick/cache.c:2383: GetNexus: Assertion `cache_info->number_views !=
0UL' failed.
Aborted (core dumped)
Comment 4 Bastien Nocera 2007-12-04 12:27:14 EST
To me, only the RHEL 2.1 presents a security risk. There's no injection
possibilities with RHEL3, 4 or 5.
Comment 6 Lubomir Kundrak 2007-12-05 10:32:36 EST
We are not fixing this. It's just a NULL dereference in 2.1.

Note You need to log in before you can comment on or make changes to this bug.