Headline
CVE-2019-13302: heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages · Issue #1597 · ImageMagick/ImageMagick
ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/fourier.c in ComplexImages.
Prerequisites
- I have written a descriptive issue title
- I have verified that I am using the latest version of ImageMagick
- I have searched open and closed issues to ensure it has not already been reported
Description
There’s a heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages.
Steps to Reproduce
run_cmd:
magick -seed 0 -treedepth 71 "(" magick:logo +repage ")" "(" magick:granite -white-threshold 0% -cycle 256 -lat 815 ")" -bordercolor rgb"(“101,151,20”)" -blue-primary 638,241 -print “0O.” -complex multiply tmp
Second one also can trigger.
cmd:
magick -seed 0 "(" magick:logo +repage ")" "(" magick:logo +repage ")" -render -size 2872 -complex multiply -quiet tmp
Here’s ASAN result.
==16842==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000a80 at pc 0x7fea5bb0c52f bp 0x7fff5c11c590 sp 0x7fff5c11c588
READ of size 4 at 0x61e000000a80 thread T0
#0 0x7fea5bb0c52e in ComplexImages MagickCore/fourier.c:305:45
#1 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
#2 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
#3 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
#4 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
#5 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
#6 0x526f95 in MagickMain utilities/magick.c:149:10
#7 0x5268e1 in main utilities/magick.c:180:10
#8 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x41b069 in _start (install/bin/magick+0x41b069)
0x61e000000a80 is located 0 bytes to the right of 2560-byte region [0x61e000000080,0x61e000000a80)
allocated by thread T0 here:
#0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
#1 0x7fea5bbb9666 in AcquireAlignedMemory MagickCore/memory.c:265:7
#2 0x7fea5b910d5c in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
#3 0x7fea5b8fe1c4 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
#4 0x7fea5b8f5b05 in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
#5 0x7fea5b913f36 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
#6 0x7fea5bb0ae5d in ComplexImages MagickCore/fourier.c:250:8
#7 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
#8 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
#9 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
#10 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
#11 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
#12 0x526f95 in MagickMain utilities/magick.c:149:10
#13 0x5268e1 in main utilities/magick.c:180:10
#14 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:45 in ComplexImages
Here’s the ASAN result for second cmd
==16863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2a0831b800 at pc 0x7f2a1747e649 bp 0x7ffd7c094350 sp 0x7ffd7c094348
WRITE of size 4 at 0x7f2a0831b800 thread T0
#0 0x7f2a1747e648 in ComplexImages MagickCore/fourier.c:305:18
#1 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
#2 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
#3 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
#4 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
#5 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
#6 0x526f95 in MagickMain utilities/magick.c:149:10
#7 0x5268e1 in main utilities/magick.c:180:10
#8 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x41b069 in _start (install/bin/magick+0x41b069)
0x7f2a0831b800 is located 0 bytes to the right of 3686400-byte region [0x7f2a07f97800,0x7f2a0831b800)
allocated by thread T0 here:
#0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
#1 0x7f2a1752b666 in AcquireAlignedMemory MagickCore/memory.c:265:7
#2 0x7f2a172746ac in OpenPixelCache MagickCore/cache.c:3728:46
#3 0x7f2a1727a991 in GetImagePixelCache MagickCore/cache.c:1754:18
#4 0x7f2a17280c59 in SyncImagePixelCache MagickCore/cache.c:5494:28
#5 0x7f2a174defc1 in SetImageStorageClass MagickCore/image.c:2627:10
#6 0x7f2a1747c4f7 in ComplexImages MagickCore/fourier.c:185:7
#7 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
#8 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
#9 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
#10 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
#11 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
#12 0x526f95 in MagickMain utilities/magick.c:149:10
#13 0x5268e1 in main utilities/magick.c:180:10
#14 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:18 in ComplexImages
Thanks.
System Configuration
ImageMagick version:
Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-17 https://imagemagick.orgEnvironment (Operating system, version and so on):
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionicAdditional information:
CC=clang-7 CXX=clang+±7 ./configure --disable-openmp