lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID:  <loom.20060816T181837-414@post.gmane.org>
Date: Wed, 16 Aug 2006 16:32:03 +0000 (UTC)
From: Daniel Kobras <kobras@...ian.org>
To: bugtraq@...urityfocus.com
Subject:  Re: [Overflow.pl] ImageMagick ReadSGIImage() Heap	Overflow

Damian Put <pucik <at> overflow.pl> writes:

> Vendor: ImageMagick (http://www.imagemagick.org)
> Affected version: 6.x up to and including 6.2.8
> Vendor status: Fixed version released (6.2.9)

There are some whitespace changes between 6.2.8 and 6.2.9 as well
as a fix for what looks like a different vulnerability (affecting
run-length encoded images only, but from what I can tell, 6.2.9
still  suffers from the flaw you described below. Can you please
clarify why you claim 6.2.9 to be fixed?

> A heap overflow exists in ReadSGIImage() function, that is used to
> decode a SGI image file. The vulnerable code is:
> 
> coders/sgi.c:
> 
> static Image *ReadSGIImage(const ImageInfo *image_info,
> ExceptionInfo *exception)
> {
> ...
>     iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image);
> ...
>     image->columns=iris_info.columns;
>     image->rows=iris_info.rows;
> ...
>     bytes_per_pixel=(size_t) iris_info.bytes_per_pixel;
>     number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows;
> ...
>     iris_pixels=(unsigned char *)AcquireMagickMemory
> (4*bytes_per_pixel*iris_info.columns*iris_info.rows); 
> 
> We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel
> value. Allocation of memory to "iris_pixels" is based on this values.
> When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc not
> enough memory for next operations, and cause heap overflow.

Regards,

Daniel.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ