Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-35531: LibRaw "get_huffman_diff()" Out-of-bounds read vulnerability · Issue #270 · LibRaw/LibRaw

In LibRaw, an out-of-bounds read vulnerability exists within the get_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) when reading data from an image file.

CVE
Open in Source
#vulnerability#windows#google#microsoft#js#php#amd#sap

Description

An out-of-bounds read vulnerability exists within the "get_huffman_diff()" function (libraw\src\x3f\x3f_utils_patched.cpp) when parsing a crafted X3F file.

Steps to Reproduce

(poc archive password= girlelecta):
https://drive.google.com/file/d/1Yhqo6idPqWMisvPKrlzjsUKRApHmz2M_/view

cmd:
magick.exe convert poc1.X3F new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft ® Windows Debugger Version 10.0.18362.1 AMD64
Copyright © Microsoft Corporation. All rights reserved.

CommandLine: E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\magick.exe convert E:\Workspace\poc1.X3F E:\Workspace\new.png

************* Path validation summary **************
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff6 5a870000 00007ff6 5a882000 magick.exe
ModLoad: 00007ffe c1500000 00007ffe c16f0000 ntdll.dll
ModLoad: 00007ffe a8a10000 00007ffe a8a81000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x2264: page heap enabled with flags 0x3.
ModLoad: 00007ffe bf9a0000 00007ffe bfa52000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe be510000 00007ffe be7b3000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe 82020000 00007ffe 822a9000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ffe c0ea0000 00007ffe c1034000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe 92500000 00007ffe 926c9000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ffe bf580000 00007ffe bf5a1000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe c0910000 00007ffe c0936000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe be7c0000 00007ffe be954000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe a8d20000 00007ffe a8d42000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ffe 8b440000 00007ffe 8b5fb000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ffe beab0000 00007ffe beb4e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe beb80000 00007ffe bec7a000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe c1280000 00007ffe c1323000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffe c0bb0000 00007ffe c0c4e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe c0cc0000 00007ffe c0d57000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffe c02a0000 00007ffe c03c0000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe a88b0000 00007ffe a88d7000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ffe a8220000 00007ffe a833f000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ffe a8190000 00007ffe a8216000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ffe a7a50000 00007ffe a7af0000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ffe a87f0000 00007ffe a881a000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ffe a87c0000 00007ffe a87e3000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ffe 81ce0000 00007ffe 8201b000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ffe bfa60000 00007ffe c0145000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffe bf530000 00007ffe bf57a000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffe c0b00000 00007ffe c0ba9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe bf5b0000 00007ffe bf8e6000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe be490000 00007ffe be510000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffe bec80000 00007ffe bf3ff000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffe c1430000 00007ffe c149f000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffe be470000 00007ffe be48f000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffe be400000 00007ffe be44a000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffe be3d0000 00007ffe be3e0000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ffe c1220000 00007ffe c1272000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffe be3e0000 00007ffe be3f1000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffe bf510000 00007ffe bf527000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ffe c1040000 00007ffe c1196000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffe bd950000 00007ffe bd98a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe bd990000 00007ffe bda5a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffe c0220000 00007ffe c0228000 C:\WINDOWS\System32\NSI.dll
(2264.3f58): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe c15d121c cc int 3
0:000> g
ModLoad: 00007ffe c1400000 00007ffe c142e000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffe b4720000 00007ffe b472f000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\IM_MOD_DB_DNG_.dll
ModLoad: 00007ffe 81b30000 00007ffe 81cdb000 E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libraw_.dll
ModLoad: 00007ffe 9a850000 00007ffe 9a946000 C:\WINDOWS\SYSTEM32\MSVCP140D.dll
(2264.3f58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_libraw_.dll
CORE_DB_libraw_!get_bit+0x34:
00007ffe 81c20bb4 0fb600 movzx eax,byte ptr [rax] ds:0000014b bf836da4=??
0:000> k
Child-SP RetAddr Call Site
00 00000038 853e32a0 00007ffe 81c219fe CORE_DB_libraw_!get_bit+0x34 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 857]
01 00000038 853e32c0 00007ffe 81c2251a CORE_DB_libraw_!get_huffman_diff+0x6e [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1017]
02 00000038 853e3320 00007ffe 81c22352 CORE_DB_libraw_!huffman_decode_row+0x13a [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1055]
03 00000038 853e33f0 00007ffe 81c37cee CORE_DB_libraw_!huffman_decode+0xb2 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1095]
04 00000038 853e3470 00007ffe 81c37a93 CORE_DB_libraw_!x3f_load_huffman_compressed+0x21e [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1411]
05 00000038 853e34e0 00007ffe 81c37ecd CORE_DB_libraw_!x3f_load_huffman+0x283 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1468]
06 00000038 853e3550 00007ffe 81c37768 CORE_DB_libraw_!x3f_load_image+0x12d [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 1514]
07 00000038 853e35b0 00007ffe 81c38504 CORE_DB_libraw_!x3f_load_data+0x88 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_utils_patched.cpp @ 2059]
08 00000038 853e35f0 00007ffe 81c33628 CORE_DB_libraw_!LibRaw::x3f_load_raw+0x64 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\x3f\x3f_parse_process.cpp @ 579]
09 00000038 853e36e0 00007ffe 81c3d358 CORE_DB_libraw_!LibRaw::unpack+0xc18 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\decoders\unpack.cpp @ 283]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\IM_MOD_DB_DNG_.dll
0a 00000038 853e38a0 00007ffe b4721989 CORE_DB_libraw_!libraw_unpack+0x48 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\libraw\src\libraw_c_api.cpp @ 136]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickCore_.dll
0b 00000038 853e38e0 00007ffe 820783b7 IM_MOD_DB_DNG_!ReadDNGImage+0x479 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\coders\dng.c @ 425]
0c 00000038 853e59f0 00007ffe 82079af3 CORE_DB_MagickCore_!ReadImage+0x5e7 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for E:\Workspace\imageMagick\ImageMagick-windows\ImageMagick-7.0.9-16\VisualMagick\bin\CORE_DB_MagickWand_.dll
0d 00000038 853eac10 00007ffe 9253aac3 CORE_DB_MagickCore_!ReadImages+0x393 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickcore\constitute.c @ 927]
0e 00000038 853ebcc0 00007ffe 925d3fe8 CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
0f 00000038 853ed810 00007ff6 5a8714ea CORE_DB_MagickWand_!MagickCommandGenesis+0x338 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\magickwand\mogrify.c @ 185]
10 00000038 853ee980 00007ff6 5a871693 magick!MagickMain+0x4ea [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\utilities\magick.c @ 149]
11 00000038 853efbf0 00007ff6 5a871f24 magick!wmain+0x43 [e:\workspace\imagemagick\imagemagick-windows\imagemagick-7.0.9-16\imagemagick\utilities\magick.c @ 195]
12 00000038 853efc30 00007ff6 5a871e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]
13 00000038 853efc70 00007ff6 5a871cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
14 00000038 853efcd0 00007ff6 5a871f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
15 00000038 853efd00 00007ffe bf9b7bd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
16 00000038 853efd30 00007ffe c156ced1 KERNEL32!BaseThreadInitThunk+0x14
17 00000038 853efd60 00000000 00000000 ntdll!RtlUserThreadStart+0x21

System Configuration

  • ImageMagick:
    Version: ImageMagick-7.0.9-Q16 https://imagemagick.org
    License: https://imagemagick.org/script/license.php
  • Environment (Operating system, version and so on):
    Distributor ID: Microsoft Windows
    Description: Windows 10

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE