Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-13302: heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages · Issue #1597 · ImageMagick/ImageMagick

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/fourier.c in ComplexImages.

CVE
#ubuntu#c++

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There’s a heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages.

Steps to Reproduce

run_cmd:
magick -seed 0 -treedepth 71 "(" magick:logo +repage ")" "(" magick:granite -white-threshold 0% -cycle 256 -lat 815 ")" -bordercolor rgb"(“101,151,20”)" -blue-primary 638,241 -print “0O.” -complex multiply tmp

Second one also can trigger.
cmd:
magick -seed 0 "(" magick:logo +repage ")" "(" magick:logo +repage ")" -render -size 2872 -complex multiply -quiet tmp

Here’s ASAN result.

==16842==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000a80 at pc 0x7fea5bb0c52f bp 0x7fff5c11c590 sp 0x7fff5c11c588
READ of size 4 at 0x61e000000a80 thread T0
    #0 0x7fea5bb0c52e in ComplexImages MagickCore/fourier.c:305:45
    #1 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x61e000000a80 is located 0 bytes to the right of 2560-byte region [0x61e000000080,0x61e000000a80)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7fea5bbb9666 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7fea5b910d5c in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
    #3 0x7fea5b8fe1c4 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
    #4 0x7fea5b8f5b05 in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
    #5 0x7fea5b913f36 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
    #6 0x7fea5bb0ae5d in ComplexImages MagickCore/fourier.c:250:8
    #7 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #8 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
    #9 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x526f95 in MagickMain utilities/magick.c:149:10
    #13 0x5268e1 in main utilities/magick.c:180:10
    #14 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:45 in ComplexImages

Here’s the ASAN result for second cmd

==16863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2a0831b800 at pc 0x7f2a1747e649 bp 0x7ffd7c094350 sp 0x7ffd7c094348
WRITE of size 4 at 0x7f2a0831b800 thread T0
    #0 0x7f2a1747e648 in ComplexImages MagickCore/fourier.c:305:18
    #1 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #2 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
    #3 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x526f95 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

0x7f2a0831b800 is located 0 bytes to the right of 3686400-byte region [0x7f2a07f97800,0x7f2a0831b800)
allocated by thread T0 here:
    #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
    #1 0x7f2a1752b666 in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0x7f2a172746ac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0x7f2a1727a991 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0x7f2a17280c59 in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x7f2a174defc1 in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0x7f2a1747c4f7 in ComplexImages MagickCore/fourier.c:185:7
    #7 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
    #8 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
    #9 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #10 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #11 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #12 0x526f95 in MagickMain utilities/magick.c:149:10
    #13 0x5268e1 in main utilities/magick.c:180:10
    #14 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:18 in ComplexImages

Thanks.

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-17 https://imagemagick.org

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information:
    CC=clang-7 CXX=clang+±7 ./configure --disable-openmp

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907