oss-sec mailing list archives

information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability"

From: Murray McAllister <mmcallis () redhat com>
Date: Wed, 12 Feb 2014 13:00:25 +1100

Good morning,

Does anyone have further information about<http://secunia.com/advisories/56844/>? (I could not get thehttp://freecode.com/projects/imagemagick/tags/bugfixes link to showanything useful.)


diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c:

""
@@ -1224,7 +1224,7 @@
               Allocate layered image.
             */
             layer_info[i].image=CloneImage(image,layer_info[i].page.width,

- layer_info[i].page.height == ~0U ? 1 :layer_info[i].page.height,+ layer_info[i].page.height == ~0UL ? 1 :layer_info[i].page.height,

               MagickFalse,&image->exception);
             if (layer_info[i].image == (Image *) NULL)
               {
@@ -2112,9 +2112,6 @@
   StringInfo
     *bim_profile;

-  unsigned char
-    layer_name[4];
-
   /*
     Open image file.
   */
@@ -2372,12 +2369,15 @@
         property=(const char *) GetImageProperty(next_image,"label");
         if (property == (const char *) NULL)
           {
+            char
+              layer_name[MaxTextExtent];
+
             (void) WriteBlobMSBLong(image,16);
             (void) WriteBlobMSBLong(image,0);
             (void) WriteBlobMSBLong(image,0);
-            (void) FormatLocaleString((char *) layer_name,MaxTextExtent,
-              "L%06ld",(long) layer_count++);
-            WritePascalString( image, (char*)layer_name, 4 );

+ (void)FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)

+              layer_count++);
+            WritePascalString(image,layer_name,4);
           }
         else
           {

""

Would the issue have been writing the amount of 6 long ints into the 4byte layer_name buffer?

Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using"L%02ld" instead of "L%06ld", but that's still 4 bytes too many beforethe layer_name[MaxTextExtent]; change.


Could a CVE please be assigned if it has not been already?

Sorry for missing anything obvious.

--
Murray McAllister / Red Hat Security Response Team

Current thread:

information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" Murray McAllister (Feb 11)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 12)
  - Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" Murray McAllister (Feb 12)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 13)
  - Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" Murray McAllister (Feb 13)
    - Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 13)
    - Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 19)