Headline
CVE-2019-11008: GraphicsMagick / Bugs / #599 heap_buffer_overflow_WRITE in function WriteXWDImage of coders/xwd.c
In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer overflow in the function WriteXWDImage of coders/xwd.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
There is a heap buffer overflow in function WriteXWDImage of coders/xwd.c whick can be reproduced as below.
================================================================= ==79777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f669c371b18 at pc 0x00000087f9ea bp 0x7ffe593e7730 sp 0x7ffe593e7720 WRITE of size 1 at 0x7f669c371b18 thread T0 #0 0x87f9e9 in WriteXWDImage coders/xwd.c:894 #1 0x47a390 in WriteImage magick/constitute.c:2245 #2 0x47acf8 in WriteImages magick/constitute.c:2404 #3 0x42becd in ConvertImageCommand magick/command.c:6101 #4 0x436a5e in MagickCommand magick/command.c:8886 #5 0x45f205 in GMCommandSingle magick/command.c:17416 #6 0x45f451 in GMCommand magick/command.c:17469 #7 0x40cbc5 in main utilities/gm.c:61 #8 0x7f6741cd382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x40cad8 in _start (/home/test/temp/graphicsmagick-code/utilities/gm+0x40cad8)
0x7f669c371b18 is located 0 bytes to the right of 268436248-byte region [0x7f668c371800,0x7f669c371b18) allocated by thread T0 here: #0 0x7f6744a60602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4de2d4 in MagickMalloc magick/memory.c:173 #2 0x87f588 in WriteXWDImage coders/xwd.c:865 #3 0x47a390 in WriteImage magick/constitute.c:2245 #4 0x47acf8 in WriteImages magick/constitute.c:2404 #5 0x42becd in ConvertImageCommand magick/command.c:6101 #6 0x436a5e in MagickCommand magick/command.c:8886 #7 0x45f205 in GMCommandSingle magick/command.c:17416 #8 0x45f451 in GMCommand magick/command.c:17469 #9 0x40cbc5 in main utilities/gm.c:61 #10 0x7f6741cd382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/xwd.c:894 WriteXWDImage Shadow bytes around the buggy address: 0x0fed53866310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fed53866320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fed53866330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fed53866340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fed53866350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fed53866360: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa 0x0fed53866370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fed53866380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fed53866390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fed538663a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fed538663b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==79777==ABORTING
System Configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial
GraphicsMagick version:
GraphicsMagick 1.4 snapshot-20190322 Q8 http://www.GraphicsMagick.org/ Copyright © 2002-2019 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes DPS no FlashPix no FreeType yes Ghostscript (Library) no JBIG yes JPEG-2000 yes JPEG yes Little CMS yes Loadable Modules no Solaris mtmalloc no OpenMP yes (201307) PNG yes TIFF yes TRIO no Solaris umem no WebP yes WMF yes X11 yes XML yes ZLIB yes
Host type: x86_64-pc-linux-gnu
Configured using the command: ./configure ‘CFLAGS=-g -fsanitize=address’ ‘–enable-shared=no’
Final Build Parameters: CC = gcc CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -pthread LDFLAGS = LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread