oss-sec mailing list archives
Imagemagick fuzzing bug
From: Bastien ROUCARIES <roucaries.bastien () gmail com>
Date: Wed, 24 Dec 2014 12:22:22 +0100
Hi,
during the previous month google and Jodie Cunningham.
have done a security audit of imagemagick and found a lot of security bug:
* Avoid a DOS in vision.c due to an infinite loop.
* Avoid a SEGV due to a corrupted pnm file.
* Do not leak fd due to corrupted file.
* Fix a double free in pdb coder.
* Fix a SEGV due to corrupted dpc and xwd images.
* Fix a SEGV in dpx file handler.
* Fix a SEGV in malformed xwd file handler.
* Avoid a NULL pointer dereference in ps file handling.
* Fix a crash with corrupted viff file.
* Fix a NULL pointer dereference in wpg file handling.
* Do not continue on corrupted wpg file.
* Avoid an out of bound access in viff image.
* Avoid a heap buffer overflow in pdb file handling.
* Avoid an out of bound acess on malformed sun file.
* Avoid heap overflow in palm, pnm and xpm files.
* Fix heap overflow in quantum, palm and psd file.
* Fix handling of corrupted of psd, sun and xpm file.
* Fix corrupted (too many colors) psd file.
* Fix an out of bound acess in sun file.
* Fix handling of corrupted sun and wpg file.
* Fix heap overflow in pcx file, psd, pict and wpf files
and DOS in xpm files.
* Add additional PNM sanity checks.
* Avoid a crash to out of memory in magick/cache.c
* Fix a theorical out of bound access in magick/colormap-private.h
* Fix an out of bound access in palm file.
* Fixed throwing of exceptions in psd handling and fix a memory leak.
* Fixed boundary checks in DecodePSDPixels.
* Fix another out of bound problem in rle file.
* Fix crash due to corrupted dib file.
* Added checks to prevent overflow in rle file.
* Impose a limit of 10 million columns or rows in an input PNG
* Don't try to handle a "previous" image in the JNG decoder.
* Avoid a memory leak in quantum management.
* Avoid a crash in png coder.
* Thread limit should be at least 1 in order to be efficient.
* In psd file handling fixed parsing resource block and
avoid a crash.
* In cache fix usage of object after it has been destroyed.
* Avoid a memory leak in rle file handling.
* During identification of image do not fill memory
Patch queue is here:
http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian-patches/6.8.9.9-4-for-upstream
Current thread:
- Imagemagick fuzzing bug Bastien ROUCARIES (Dec 24)
- Re: Imagemagick fuzzing bug Hanno Böck (Dec 24)
- Re: Imagemagick fuzzing bug Gynvael Coldwind (Dec 24)
- Re: Imagemagick fuzzing bug Alexander Cherepanov (Dec 24)
- Re: Imagemagick fuzzing bug Gynvael Coldwind (Dec 25)
- Re: Imagemagick fuzzing bug Gynvael Coldwind (Dec 24)
- Re: Imagemagick fuzzing bug Hanno Böck (Dec 24)