Re: CVE request: Out-of-bound read in the parsing of gif files using GraphicsMagick 1.3.18

[Gustavo Grieco <gustavo.grieco () gmail com>]

Test case to reproduce this is attached here, sorry!

2016-02-06 14:42 GMT+01:00 Gustavo Grieco <gustavo.grieco () gmail com>:

> Hi,
>
> We found a read out-of-bound in the parsing of gif files using
> GraphicsMagick. This issue was tested in Ubuntu 14.04 (x86_64) using
> GraphicsMagick 1.3.18. Find attached a specially crafted file to reproduce
> this issue. The AddressSanitizer report showing the faulty code is here:
>
> $ ./gm identify overflow.gif
> =================================================================
> ==3173==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6210000037be at pc 0x0000007e5f56 bp 0x7fffffffa940 sp 0x7fffffffa938
> READ of size 1 at 0x6210000037be thread T0
>     #0 0x7e5f55 in DecodeImage coders/gif.c:276
>     #1 0x7ebdac in ReadGIFImage coders/gif.c:1075
>     #2 0x490fc6 in ReadImage magick/constitute.c:1600
>     #3 0x48fcd0 in PingImage magick/constitute.c:1363
>     #4 0x43fc25 in IdentifyImageCommand magick/command.c:8350
>     #5 0x4427b9 in MagickCommand magick/command.c:8840
>     #6 0x47c4d6 in GMCommandSingle magick/command.c:17253
>     #7 0x47c79c in GMCommand magick/command.c:17306
>     #8 0x40c8c5 in main utilities/gm.c:61
>     #9 0x7ffff3739ec4 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>     #10 0x40c7d8
> (/home/vagrant/repos/graphicsmagick-1.3.18/utilities/gm+0x40c7d8)
> AddressSanitizer can not describe address in more detail (wild memory
> access suspected).
> SUMMARY: AddressSanitizer: heap-buffer-overflow coders/gif.c:276
> DecodeImage
> Shadow bytes around the buggy address:
>   0x0c427fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c427fff86f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
>   0x0c427fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
> ==3173==ABORTING
>
> This issue is caused by the use of unintialized memory in DecodeImage and
> fortunately it was fixed here:
>
> http://marc.info/?l=graphicsmagick-commit&m=142283721604323&w=2
>
> Regards,
> Gus.