Ubuntu
imagemagick package

out-of-bounds read in MagickCore/memory.c:707:23

Bug #1542106 reported by Moshe Kaplan on 2016-02-05

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	imagemagick (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit %s

Command: magick id:000080,sig:06,src:000197,op:ext_AO,pos:146 /dev/null

=================================================================
==31853==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0950c4bf at pc 0x818c1eb bp 0xbff345b8 sp 0xbff345b0
READ of size 4096 at 0x0950c4bf thread T0
    #0 0x818c1ea in CopyMagickMemory /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:707:23
    #1 0x888dfb8 in ExtractPostscript /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/wpg.c:787
    #2 0x887f751 in ReadWPGImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/wpg.c:1077
    #3 0x8a8ad6a in ReadImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:494
    #4 0x8a92bdf in ReadImages /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:844
    #5 0x9375c09 in CLINoImageOperator /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:4685
    #6 0x937e0f1 in CLIOption /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:5179
    #7 0x910ae9d in ProcessCommandOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:474
    #8 0x910e215 in MagickImageCommand /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:786
    #9 0x91126f9 in MagickCommandGenesis /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/mogrify.c:172
    #10 0x80de16d in MagickMain /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:74
    #11 0x80de16d in main /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:85
    #12 0xb744ea82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #13 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

0x0950c4bf is located 33 bytes to the left of global variable '.str2' from 'MagickCore/magick.c' (0x950c4e0) of size 34
  '.str2' is ascii string 'name != (const char *) ((void*)0)'
0x0950c4bf is located 23 bytes to the right of global variable '__PRETTY_FUNCTION__.AcquireMagickInfo' from 'MagickCore/magick.c' (0x950c460) of size 72
  '__PRETTY_FUNCTION__.AcquireMagickInfo' is ascii string 'MagickInfo *AcquireMagickInfo(const char *, const char *, const char *)'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:707 CopyMagickMemory
Shadow bytes around the buggy address:
  0x212a1840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x212a1850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x212a1860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x212a1870: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
  0x212a1880: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x212a1890: 00 00 00 00 00 f9 f9[f9]f9 f9 f9 f9 00 00 00 00
  0x212a18a0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
  0x212a18b0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x212a18c0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x212a18d0: f9 f9 f9 f9 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9
  0x212a18e0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==31853==ABORTING