oss-sec mailing list archives
Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)
From: cve-assign () mitre org
Date: Fri, 17 Jun 2016 09:59:51 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
An out of bounds memory read in the VerticalFilter() function can be triggered by a malformed DDS file. https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b
The "out of bounds memory read" seems to be a valid concern, and is assigned the CVE-2016-5687 ID. However, we do not happen to understand why 791aa82c8064ee8965a63ccf4384f56b95057e5b is a fix.
Several bugs in the WPG parser could lead to a heap overflow and random invalid memory writes. These bugs only seem to appear when a memory limit is set. Sample for heap write overflow in SetPixelIndex Sample for unclear invalid write in ScaleCharToQuantum Sample for unclear invalid write in SetPixelIndex https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f
As far as we can tell, this can be thought of as a single issue in which some type of input validation (associated with a SetImageExtent return-value check) occurred in the wrong place, and was accompanied by incorrect error handling. The various write-access observations would then be consequences of this. Use CVE-2016-5688 for this entire report about the WPG parser.
Null pointer accesses and unclear segfaults can happen in the DCM parser. Sample for null pointer access in ReadDCMImage Sample for null pointer access in ReadDCMImage (different code) Sample for unclear segfault in ReadDCMImage https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d
As far as we can tell, there are three separate issues identified in the fix. (These do not necessarily map directly to the three samples.) Use CVE-2016-5689 for the lack of required NULL pointer checks. Use CVE-2016-5690 for the error in the for statement in the "Compute pixel scaling table" part of the ReadDCMImage function. Use CVE-2016-5691 for the lack of validation of pixel.red, pixel.green, and pixel.blue. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXZAH0AAoJEHb/MwWLVhi26YQP/1wB8tcmsY0Ljb68BDyylo+8 Fsl4LBITCVw2cPLJKw/cPupFN0I4kTG38EEr4HNemfIt8zGSYKGfcdr+geTB+WGK Y/EgTBwJrSCLt7KQOADAi1uNHHuq9+7uoZ1zjhffO729MqY73g0Vh4oi7waNqJBm N52k4VJA24s0zHFLQX3A29gaVsdMHxW/bTdsOiI6+VicMWYdfSHSbzfK4MP0daCK Y2OGnAFJAhcsZHKjXSiyEBCdH2dATjLuBONW3Y+bYaDvZ9Q313eKoDXJZ7ng/Idp UAfHpKYgkkN4wbOS+Y5AFYSaGGpLeMxzg6z113sAPw8pB5ukEoQvjm5FQq78HDGk sQSrunAuZS/9vLLmypTEpj0tuTDzi4V+WDqcwneTYh5xMxtLcMlaECMVOealOwFV 63Vf6sRV7TindQ3AulzIl+qux6cQJzh+8mWYfOA7UdpYrX1qDInPdX2ZiuSLQ9UW jusvHE1wbXj7F7VBmuZHmUOFQX0T2hI0jJa81YdQvoDXVxp+kerIIwVAcB7Xc/3+ /Kh8kw0xiaewVhe4lo/SwkUhTecNxm3hw22aCITvCMo9Hcg6qzwBmMBKJtcRWbYd gIB/KopZv0CLwOGDvRcZql+QA811Ee9QBR28e7gJ48PjiJmKEgXvcNDhuGb29n2c z6A2Z9cyks8gJCWERGvF =Pvf8 -----END PGP SIGNATURE-----
Current thread:
- Various invalid memory reads in ImageMagick (WPG, DDS, DCM) Hanno Böck (Jun 14)
- Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM) cve-assign (Jun 17)