oss-sec mailing list archives
information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability"
From: Murray McAllister <mmcallis () redhat com>
Date: Wed, 12 Feb 2014 13:00:25 +1100
Good morning,Does anyone have further information about <http://secunia.com/advisories/56844/>? (I could not get the http://freecode.com/projects/imagemagick/tags/bugfixes link to show anything useful.)
diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c: "" @@ -1224,7 +1224,7 @@ Allocate layered image. */ layer_info[i].image=CloneImage(image,layer_info[i].page.width,- layer_info[i].page.height == ~0U ? 1 : layer_info[i].page.height, + layer_info[i].page.height == ~0UL ? 1 : layer_info[i].page.height,
MagickFalse,&image->exception); if (layer_info[i].image == (Image *) NULL) { @@ -2112,9 +2112,6 @@ StringInfo *bim_profile; - unsigned char - layer_name[4]; - /* Open image file. */ @@ -2372,12 +2369,15 @@ property=(const char *) GetImageProperty(next_image,"label"); if (property == (const char *) NULL) { + char + layer_name[MaxTextExtent]; + (void) WriteBlobMSBLong(image,16); (void) WriteBlobMSBLong(image,0); (void) WriteBlobMSBLong(image,0); - (void) FormatLocaleString((char *) layer_name,MaxTextExtent, - "L%06ld",(long) layer_count++); - WritePascalString( image, (char*)layer_name, 4 );+ (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)
+ layer_count++); + WritePascalString(image,layer_name,4); } else { ""Would the issue have been writing the amount of 6 long ints into the 4 byte layer_name buffer?
Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using "L%02ld" instead of "L%06ld", but that's still 4 bytes too many before the layer_name[MaxTextExtent]; change.
Could a CVE please be assigned if it has not been already? Sorry for missing anything obvious. -- Murray McAllister / Red Hat Security Response Team
Current thread:
- information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" Murray McAllister (Feb 11)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 12)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" Murray McAllister (Feb 12)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 13)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" Murray McAllister (Feb 13)
- Re: information on "ImageMagick PSD Images Processing RLE Decoding Buffer Overflow Vulnerability" cve-assign (Feb 12)