Headline
CVE-2020-21679: GraphicsMagick / Bugs / #619 heap-buffer-overflow in WritePCXImage
Buffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.
Hi, I found a heap-buffer-overflow in WritePCXImage at pcx.c:1255
I tested it in GraphicsMagick 1.4
how to reproduce :
ASAN LOG
==14178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000c0 at pc 0x0000028f29c0 bp 0x7ffec5056070 sp 0x7ffec5056068 WRITE of size 1 at 0x6030000000c0 thread T0 #0 0x28f29bf in WritePCXImage /home/suhwan/project/graphicsmagick-code/coders/pcx.c:1255:17 #1 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2245:14 #2 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2404:21 #3 0x615be6 in ConvertImageCommand /home/suhwan/project/graphicsmagick-code/magick/command.c:6135:11 #4 0x72e875 in MagickCommand /home/suhwan/project/graphicsmagick-code/magick/command.c:8880:17 #5 0x810c5c in GMCommandSingle /home/suhwan/project/graphicsmagick-code/magick/command.c:17412:10 #6 0x80ba1e in GMCommand /home/suhwan/project/graphicsmagick-code/magick/command.c:17465:16 #7 0x7ff6e5aa2b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x424239 in _start (/home/suhwan/project/fuzz-input-validate/test/bin/gm+0x424239)
0x6030000000c0 is located 0 bytes to the right of 32-byte region [0x6030000000a0,0x6030000000c0) allocated by thread T0 here: #0 0x4cc083 in __interceptor_malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x28ddf2c in WritePCXImage /home/suhwan/project/graphicsmagick-code/coders/pcx.c:1172:16 #2 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2245:14 #3 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick-code/magick/constitute.c:2404:21
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/suhwan/project/graphicsmagick-code/coders/pcx.c:1255:17 in WritePCXImage Shadow bytes around the buggy address: 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 =>0x0c067fff8010: 05 fa fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==14178==ABORTING
GraphicsMagick 1.4 snapshot-20191225 Q8 http://www.GraphicsMagick.org/
Copyright © 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.
Feature Support:
Native Thread Safe yes
Large Files (> 32 bit) yes
Large Memory (> 32 bit) yes
BZIP yes
DPS no
FlashPix no
FreeType yes
Ghostscript (Library) no
JBIG yes
JPEG-2000 no
JPEG yes
Little CMS yes
Loadable Modules no
Solaris mtmalloc no
OpenMP yes (201107 “3.1”)
PNG yes
TIFF yes
TRIO no
Solaris umem no
WebP no
WMF no
X11 yes
XML yes
ZLIB yes
Host type: x86_64-pc-linux-gnu