Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-22628: "LibRaw::stretch()" Out-of-bounds read vulnerability · Issue #269 · LibRaw/LibRaw

Buffer Overflow vulnerability in LibRaw::stretch() function in libraw\src\postprocessing\aspect_ratio.cpp.

CVE
Open in Source
#vulnerability#windows#google#microsoft#php#amd#buffer_overflow#sap

Description

An out-of-bounds read vulnerability exists within the "LibRaw::stretch()" function (libraw\src\postprocessing\aspect_ratio.cpp) when parsing a crafted CRW file.

Steps to Reproduce

(poc archive password= girlelecta):
https://drive.google.com/open?id=1Y70DxvWYfsNS7DBu4cuoUVOoMOyheA8O

cmd:
magick.exe convert poc.crw new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft ® Windows Debugger Version 10.0.18362.1 AMD64
Copyright © Microsoft Corporation. All rights reserved.

CommandLine: “C:\Program Files\ImageMagick-7.0.9-Q16\magick.exe” convert E:\Workspace\poc.crw E:\Workspace\new.png

************* Path validation summary **************
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff7 93fc0000 00007ff7 93fcc000 image00007ff7 93fc0000
ModLoad: 00007ff8 87ea0000 00007ff8 88090000 ntdll.dll
ModLoad: 00007ff8 70fb0000 00007ff8 71021000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x2ADC: page heap enabled with flags 0x3.
ModLoad: 00007ff8 87bb0000 00007ff8 87c62000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8 85820000 00007ff8 85ac3000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8 6e630000 00007ff8 6e808000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_MagickCore_.dll
ModLoad: 00007ff8 6e550000 00007ff8 6e629000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_MagickWand_.dll
ModLoad: 00007ff8 6e460000 00007ff8 6e54f000 C:\Program Files\ImageMagick-7.0.9-Q16\MSVCR120.dll
ModLoad: 000002c7 22170000 000002c7 2225f000 C:\Program Files\ImageMagick-7.0.9-Q16\MSVCR120.dll
ModLoad: 00007ff8 74a90000 00007ff8 74ab2000 C:\Program Files\ImageMagick-7.0.9-Q16\VCOMP120.DLL
ModLoad: 00007ff8 876f0000 00007ff8 87884000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ff8 85e80000 00007ff8 85ea1000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ff8 862f0000 00007ff8 86316000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ff8 855b0000 00007ff8 85744000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ff8 85eb0000 00007ff8 85f4e000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8 87c70000 00007ff8 87d13000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8 86680000 00007ff8 8671e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8 861f0000 00007ff8 86287000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8 85ad0000 00007ff8 85bca000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8 87d40000 00007ff8 87e60000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8 74f30000 00007ff8 74f44000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_bzlib_.dll
ModLoad: 00007ff8 86600000 00007ff8 8666f000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8 6e400000 00007ff8 6e456000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_lcms_.dll
ModLoad: 00007ff8 6e360000 00007ff8 6e400000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_freetype_.dll
ModLoad: 00007ff8 73500000 00007ff8 73513000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_lqr_.dll
ModLoad: 00007ff8 73000000 00007ff8 73018000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_zlib_.dll
ModLoad: 00007ff8 6e100000 00007ff8 6e355000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_glib_.dll
ModLoad: 00007ff8 86720000 00007ff8 86e05000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ff8 857d0000 00007ff8 8581a000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ff8 85f50000 00007ff8 85ff9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ff8 86e10000 00007ff8 87146000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8 85d20000 00007ff8 85da0000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ff8 84e30000 00007ff8 855af000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ff8 84e10000 00007ff8 84e2f000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ff8 84d80000 00007ff8 84dca000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ff8 84d70000 00007ff8 84d80000 C:\WINDOWS\System32\UMPDC.dll
ModLoad: 00007ff8 87910000 00007ff8 87962000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ff8 84dd0000 00007ff8 84de1000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ff8 857b0000 00007ff8 857c7000 C:\WINDOWS\System32\cryptsp.dll
ModLoad: 00007ff8 87a50000 00007ff8 87ba6000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ff8 842f0000 00007ff8 8432a000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ff8 84330000 00007ff8 843fa000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ff8 87900000 00007ff8 87908000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ff8 6e090000 00007ff8 6e0f8000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_libxml_.dll
(2adc.2ae0): Break instruction exception - code 80000003 (first chance)
ntdll!LdrInitShimEngineDynamic+0x35c:
00007ff8 87f7121c cc int 3
0:000> g
ModLoad: 00007ff8 86000000 00007ff8 8602e000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ff8 77200000 00007ff8 7720a000 C:\Program Files\ImageMagick-7.0.9-Q16\modules\coders\IM_MOD_RL_DNG_.dll
ModLoad: 00007ff8 5fe70000 00007ff8 5ff74000 C:\Program Files\ImageMagick-7.0.9-Q16\CORE_RL_libraw_.dll
ModLoad: 00007ff8 6df60000 00007ff8 6e006000 C:\Program Files\ImageMagick-7.0.9-Q16\MSVCP120.dll
(2adc.2ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
CORE_RL_libraw_!LibRaw::stretch+0x17d:
00007ff8 5febc7ed 430fb70402 movzx eax,word ptr [r10+r8] ds:000002c7 284ac5c0=???
0:000> k
Child-SP RetAddr Call Site
00 000000e1 ef2f3af0 00007ff8 5fedb222 CORE_RL_libraw_!LibRaw::stretch+0x17d
01 000000e1 ef2f3b70 00007ff8 772016b4 CORE_RL_libraw_!LibRaw::dcraw_process+0x562
02 000000e1 ef2f3be0 00007ff8 6e6704ac IM_MOD_RL_DNG_+0x16b4
03 000000e1 ef2f5c70 00007ff8 6e670fbc CORE_RL_MagickCore_!ReadImage+0x47c
04 000000e1 ef2fadc0 00007ff8 6e569636 CORE_RL_MagickCore_!ReadImages+0x1ac
05 000000e1 ef2fbe40 00007ff8 6e5ac907 CORE_RL_MagickWand_!ConvertImageCommand+0x566
06 000000e1 ef2fd760 00007ff7 93fc130b CORE_RL_MagickWand_!MagickCommandGenesis+0x5a7
07 000000e1 ef2fe920 00007ff7 93fc13ec image00007ff7_93fc0000+0x130b
08 000000e1 ef2ffb30 00007ff7 93fc1783 image00007ff7_93fc0000+0x13ec
09 000000e1 ef2ffb60 00007ff8 87bc7bd4 image00007ff7_93fc0000+0x1783
0a 000000e1 ef2ffb90 00007ff8 87f0ced1 KERNEL32!BaseThreadInitThunk+0x14
0b 000000e1 ef2ffbc0 00000000 00000000 ntdll!RtlUserThreadStart+0x21

System Configuration

  • ImageMagick:
    Version: ImageMagick-7.0.9-Q16 https://imagemagick.org
    License: https://imagemagick.org/script/license.php
  • Environment (Operating system, version and so on):
    Distributor ID: Microsoft Windows
    Description: Windows 10

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE