Headline
CVE-2019-13299: heap-buffer-overflow at MagickCore/pixel-accessor.h:116:10 in GetPixelChannel · Issue #1610 · ImageMagick/ImageMagick
ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/pixel-accessor.h in GetPixelChannel.
There’s a heap-buffer-overflow at MagickCore/pixel-accessor.h:116:10 in GetPixelChannel.
run_cmd:
magick -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median tmp
Here’s ASAN log.
==30168==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7febb7ba1400 at pc 0x7febc5808632 bp 0x7ffd269baff0 sp 0x7ffd269bafe8
READ of size 4 at 0x7febb7ba1400 thread T0
#0 0x7febc5808631 in GetPixelChannel ./MagickCore/pixel-accessor.h:116:10
#1 0x7febc5805ff6 in EvaluateImages MagickCore/statistic.c:587:33
#2 0x7febc4e1a5bf in CLIListOperatorImages MagickWand/operation.c:4084:22
#3 0x7febc4e2435e in CLIOption MagickWand/operation.c:5279:14
#4 0x7febc4c65a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
#5 0x7febc4c66d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
#6 0x7febc4cb0ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
#7 0x526f95 in MagickMain utilities/magick.c:149:10
#8 0x5268e1 in main utilities/magick.c:180:10
#9 0x7febbf727b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x41b069 in _start (install/bin/magick+0x41b069)
0x7febb7ba1400 is located 0 bytes to the right of 248832-byte region [0x7febb7b64800,0x7febb7ba1400)
allocated by thread T0 here:
#0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
#1 0x7febc569fed6 in AcquireAlignedMemory MagickCore/memory.c:265:7
#2 0x7febc53e861c in OpenPixelCache MagickCore/cache.c:3728:46
#3 0x7febc53ee901 in GetImagePixelCache MagickCore/cache.c:1754:18
#4 0x7febc53f4bc9 in SyncImagePixelCache MagickCore/cache.c:5488:28
#5 0x7febc5653831 in SetImageStorageClass MagickCore/image.c:2627:10
#6 0x7febc54187e2 in AcquireImageColormap MagickCore/colormap.c:144:10
#7 0x7febc575d137 in AssignImageColors MagickCore/quantize.c:514:7
#8 0x7febc5753f38 in QuantizeImage MagickCore/quantize.c:2724:14
#9 0x7febc53ae56c in SetImageType MagickCore/attribute.c:1495:14
#10 0x7febc4e0cace in CLISimpleOperatorImage MagickWand/operation.c:2792:18
#11 0x7febc4dfec78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
#12 0x7febc4e24315 in CLIOption MagickWand/operation.c:5273:16
#13 0x7febc4c65a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
#14 0x7febc4c66d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
#15 0x7febc4cb0ba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
#16 0x526f95 in MagickMain utilities/magick.c:149:10
#17 0x5268e1 in main utilities/magick.c:180:10
#18 0x7febbf727b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow ./MagickCore/pixel-accessor.h:116:10 in GetPixelChannel