Headline
CVE-2019-11505: GraphicsMagick / Bugs / #605 heap-buffer-overflow in function WritePDBImage of coders/pdb.c
In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WritePDBImage of coders/pdb.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to MagickBitStreamMSBWrite in magick/bit_stream.c.
There is a heap buffer overflow in function WritePDBImage of coders/pdb.c whick can be reproduced as below.
test@test-virtual-machine:~/$ ./graphicsmagick-code/utilities/gm convert ./heap-buffer-overflow-WritePDBImage ./test.pdb
==20125==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e952 at pc 0x0000008a1e9d bp 0x7ffc8da4aee0 sp 0x7ffc8da4aed0 WRITE of size 1 at 0x60200000e952 thread T0 #0 0x8a1e9c in MagickBitStreamMSBWrite magick/bit_stream.c:125 #1 0x8f491f in ExportGrayQuantumType magick/export.c:937 #2 0x91ac8f in ExportViewPixelArea magick/export.c:3205 #3 0x8ee7aa in ExportImagePixelArea magick/export.c:278 #4 0x77835a in WritePDBImage coders/pdb.c:959 #5 0x47a430 in WriteImage magick/constitute.c:2245 #6 0x47ad98 in WriteImages magick/constitute.c:2404 #7 0x42bf6d in ConvertImageCommand magick/command.c:6101 #8 0x436afe in MagickCommand magick/command.c:8886 #9 0x45f2a5 in GMCommandSingle magick/command.c:17416 #10 0x45f4f1 in GMCommand magick/command.c:17469 #11 0x40cc65 in main utilities/gm.c:61 #12 0x7fbbdc3c182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x40cb78 in _start (/home/graphicsmagick-code/utilities/gm+0x40cb78)
0x60200000e952 is located 0 bytes to the right of 2-byte region [0x60200000e950,0x60200000e952) allocated by thread T0 here: #0 0x7fbbdf14e602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4de364 in MagickMalloc magick/memory.c:174 #2 0x4de582 in MagickMallocArray magick/memory.c:368 #3 0x777ffa in WritePDBImage coders/pdb.c:943 #4 0x47a430 in WriteImage magick/constitute.c:2245 #5 0x47ad98 in WriteImages magick/constitute.c:2404 #6 0x42bf6d in ConvertImageCommand magick/command.c:6101 #7 0x436afe in MagickCommand magick/command.c:8886 #8 0x45f2a5 in GMCommandSingle magick/command.c:17416 #9 0x45f4f1 in GMCommand magick/command.c:17469 #10 0x40cc65 in main utilities/gm.c:61 #11 0x7fbbdc3c182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow magick/bit_stream.c:125 MagickBitStreamMSBWrite Shadow bytes around the buggy address: 0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa fd fd 0x0c047fff9d30: fa fa 00 06 fa fa 00 06 fa fa fd fd fa fa fd fd 0x0c047fff9d40: fa fa fd fd fa fa fd fd fa fa 02 fa fa fa 06 fa 0x0c047fff9d50: fa fa 07 fa fa fa 04 fa fa fa 02 fa fa fa fd fd 0x0c047fff9d60: fa fa 06 fa fa fa 00 fa fa fa 06 fa fa fa 02 fa 0x0c047fff9d70: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==20125==ABORTING
System Configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial
GraphicsMagick version:
GraphicsMagick 1.4 snapshot-20190403 Q8 http://www.GraphicsMagick.org/ Copyright © 2002-2019 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes DPS no FlashPix no FreeType yes Ghostscript (Library) no JBIG yes JPEG-2000 yes JPEG yes Little CMS yes Loadable Modules no Solaris mtmalloc no OpenMP yes (201307) PNG yes TIFF yes TRIO no Solaris umem no WebP yes WMF yes X11 yes XML yes ZLIB yes
Host type: x86_64-pc-linux-gnu
Configured using the command: ./configure ‘CC=gcc’ ‘CXX=g++’ ‘CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak’ ‘–enable-shared=no’
Final Build Parameters: CC = gcc CFLAGS = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -pthread LDFLAGS = LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread