Re: Stack overflow in imagemagick coders/tiff.c

[Bob Friesenhahn <bfriesen () simple dallas tx us>]

On Wed, 14 Jun 2023, Salvatore Bonaccorso wrote:

> Hi
>
> On Mon, May 29, 2023 at 08:11:18AM +0000, Bastien Roucariès wrote:
> > Hi,
> >
> > Reading changelog and code of imagemagick, I want to report a stack overflow with crafted tiff file in imagemagick
> >
> > Fixed (after 6.9.12-26) by:
> > https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023
>
> CVE-2023-3195 has been assigned for this issue according to
> https://bugzilla.redhat.com/show_bug.cgi?id=2214141 (not yet on
> cve.org feed itself).

It seems suspicious that (after looking at the code) this is obviously 
a heap overflow (of the 'tile_pixels' allocation) rather than a stack 
overflow.  Whenever something is mischaracterized, it becomes suspect.

The overflow checking while computing 'extent' still seems suspect and 
is worthy of more inspection, especially on 32-bit systems.

The development ImageMagick 7.1 is included in oss-fuzz testing (but 
has not successfully compiled since May 22nd).  Oss-fuzz has 
discovered 2935 serious issues related to development ImageMagick 7 
since 2017, and most of those have been fixed in ImageMagick 7, but 
not in legacy ImageMagick 6.

Linux/OSS distributions still distributing ImageMagick 6 are severely 
fooling themselves and their users if it is believed that the software 
can be made secure by applying a few patches.

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt