GraphicsMagick / Bugs / #530 heap-buffer-overflow in ReadOneJNGImage

#530 heap-buffer-overflow in ReadOneJNGImage

Milestone: v1.0_(example)

Status: closed-fixed

Owner: Bob Friesenhahn

Labels: None

Priority: 1

Updated: 2017-12-16

Created: 2017-12-13

Creator: Allan Zhou

Private: No

/usr/local/bin/gm mogrify -version
GraphicsMagick 1.4 snapshot-20171208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2017 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG no
JPEG-2000 no
JPEG yes
Little CMS no
Loadable Modules no
OpenMP yes (201511)
PNG yes
TIFF yes
TRIO no
UMEM no
WebP no
WMF no
X11 yes
XML yes
ZLIB yes

Host type: x86_64-unknown-linux-gnu

Configured using the command:
./configure 'CC=gcc' 'CXX=g++'

Final Build Parameters:
CC = gcc
CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread
CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
CXX = g++
CXXFLAGS = -pthread
LDFLAGS =
LIBS = -ltiff -lfreetype -ljpeg -lpng16 -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lgomp -lpthread

/usr/local/bin/gm mogrify 3c896OWQCkwRgXtWtIoAfDJbGLbdTcfX-0.jng

=================================================================
==11640==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002d9 at pc 0x0000006af181 bp 0x7fff9aed5bc0 sp 0x7fff9aed5bb0
READ of size 1 at 0x6020000002d9 thread T0     
    #0 0x6af180 in ReadOneJNGImage coders/png.c:3526
    #1 0x6b0fb2 in ReadJNGImage coders/png.c:3912
    #2 0x4868db in ReadImage magick/constitute.c:1607
    #3 0x44c0df in TransmogrifyImage magick/command.c:11714
    #4 0x44d9b2 in MogrifyImageCommand magick/command.c:12017
    #5 0x43b139 in MagickCommand magick/command.c:8872
    #6 0x467c07 in GMCommandSingle magick/command.c:17393
    #7 0x467eee in GMCommand magick/command.c:17446
    #8 0x40b916 in main utilities/gm.c:61      
    #9 0x7f0c23de5039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #10 0x40b849 in _start (/usr/local/bin/gm+0x40b849)

0x6020000002d9 is located 0 bytes to the right of 9-byte region [0x6020000002d0,0x6020000002d9)
allocated by thread T0 here:
    #0 0x7f0c26718850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x4ef881 in MagickMalloc magick/memory.c:156
    #2 0x6acd21 in ReadOneJNGImage coders/png.c:3138
    #3 0x6b0fb2 in ReadJNGImage coders/png.c:3912
    #4 0x4868db in ReadImage magick/constitute.c:1607
    #5 0x44c0df in TransmogrifyImage magick/command.c:11714
    #6 0x44d9b2 in MogrifyImageCommand magick/command.c:12017
    #7 0x43b139 in MagickCommand magick/command.c:8872
    #8 0x467c07 in GMCommandSingle magick/command.c:17393
    #9 0x467eee in GMCommand magick/command.c:17446
    #10 0x40b916 in main utilities/gm.c:61
    #11 0x7f0c23de5039 in __libc_start_main (/lib64/libc.so.6+0x21039)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/png.c:3526 in ReadOneJNGImage
Shadow bytes around the buggy address:
  0x0c047fff8000: fa fa 00 fa fa fa fd fa fa fa 00 04 fa fa 00 04
  0x0c047fff8010: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8020: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff8030: fa fa 00 04 fa fa fd fd fa fa 00 04 fa fa fd fd
  0x0c047fff8040: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fd
=>0x0c047fff8050: fa fa fd fa fa fa fd fa fa fa 00[01]fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11640==ABORTING

1 Attachments

3c896OWQCkwRgXtWtIoAfDJbGLbdTcfX-0.jng

Discussion

Allan Zhou - 2017-12-14

https://github.com/henices/pocs/raw/master/3c896OWQCkwRgXtWtIoAfDJbGLbdTcfX-0.jng.zip

Credit: zz of NSFocus Security Team

Last edit: Allan Zhou 2017-12-19

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2017-12-16

status: open --> closed-fixed

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2017-12-16

This issue is fixed by Mercurial changeset 15304:8e3d2264109c. There is an error in a hard-coded offset which was one-off from what it should have been, causing a read one past the end of a character array.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

heap-buffer-overflow in ReadOneJNGImage

Swiss army knife of image processing

Group

Searches

Help

#530 heap-buffer-overflow in ReadOneJNGImage

Discussion