Headline
CVE-2019-19953: GraphicsMagick / Bugs / #617 heap-buffer-overflow in function EncodeImage of coders/pict.c
In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.
There is a heap buffer overflow in function EncodeImage of coders/pict.c whick can be reproduced as below.
/home/graphicsmagick/utilities/gm convert ./heap-buffer-overflow-READ-0x08417e7a.webp ./test.pct ==9938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf12147ff at pc 0x08417e7a bp 0xffa81578 sp 0xffa81568 READ of size 1 at 0xf12147ff thread T0 #0 0x8417e79 in EncodeImage coders/pict.c:1067 #1 0x8421228 in WritePICTImage coders/pict.c:2408 #2 0x80c6919 in WriteImage magick/constitute.c:2245 #3 0x80c728f in WriteImages magick/constitute.c:2404 #4 0x8072623 in ConvertImageCommand magick/command.c:6135 #5 0x807ea51 in MagickCommand magick/command.c:8880 #6 0x80ab9c2 in GMCommandSingle magick/command.c:17412 #7 0x80abc86 in GMCommand magick/command.c:17465 #8 0x80511ea in main utilities/gm.c:61 #9 0xf697c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #10 0x80510f0 (/home/graphicsmagick/utilities/gm+0x80510f0)
0xf12147ff is located 1 bytes to the left of 65536-byte region [0xf1214800,0xf1224800) allocated by thread T0 here: #0 0xf72bbdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x8132492 in MagickMalloc magick/memory.c:174 #2 0x841f32a in WritePICTImage coders/pict.c:2126 #3 0x80c6919 in WriteImage magick/constitute.c:2245 #4 0x80c728f in WriteImages magick/constitute.c:2404 #5 0x8072623 in ConvertImageCommand magick/command.c:6135 #6 0x807ea51 in MagickCommand magick/command.c:8880 #7 0x80ab9c2 in GMCommandSingle magick/command.c:17412 #8 0x80abc86 in GMCommand magick/command.c:17465 #9 0x80511ea in main utilities/gm.c:61 #10 0xf697c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/pict.c:1067 EncodeImage Shadow bytes around the buggy address: 0x3e2428a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e2428b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e2428c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e2428d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e2428e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e2428f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x3e242900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e242910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e242920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e242930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e242940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==9938==ABORTING
System Configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.04.5 LTS Release: 16.04 Codename: xenial
GraphicsMagick version:
GraphicsMagick 1.4 snapshot-20191208 Q8 http://www.GraphicsMagick.org/ Copyright © 2002-2019 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) no BZIP yes DPS no FlashPix no FreeType yes Ghostscript (Library) no JBIG yes JPEG-2000 yes JPEG yes Little CMS yes Loadable Modules no Solaris mtmalloc no OpenMP yes (201307 “4.0”) PNG yes TIFF yes TRIO no Solaris umem no WebP yes WMF yes X11 yes XML yes ZLIB yes
Host type: x86_64-pc-linux-gnu
Configured using the command: ./configure ‘CFLAGS=-g -fsanitize=address’ ‘–enable-shared=no’
Final Build Parameters: CC = gcc CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -pthread LDFLAGS = LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread