[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <loom.20060816T181837-414@post.gmane.org>
Date: Wed, 16 Aug 2006 16:32:03 +0000 (UTC)
From: Daniel Kobras <kobras@...ian.org>
To: bugtraq@...urityfocus.com
Subject: Re: [Overflow.pl] ImageMagick ReadSGIImage() Heap Overflow
Damian Put <pucik <at> overflow.pl> writes:
> Vendor: ImageMagick (http://www.imagemagick.org)
> Affected version: 6.x up to and including 6.2.8
> Vendor status: Fixed version released (6.2.9)
There are some whitespace changes between 6.2.8 and 6.2.9 as well
as a fix for what looks like a different vulnerability (affecting
run-length encoded images only, but from what I can tell, 6.2.9
still suffers from the flaw you described below. Can you please
clarify why you claim 6.2.9 to be fixed?
> A heap overflow exists in ReadSGIImage() function, that is used to
> decode a SGI image file. The vulnerable code is:
>
> coders/sgi.c:
>
> static Image *ReadSGIImage(const ImageInfo *image_info,
> ExceptionInfo *exception)
> {
> ...
> iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image);
> ...
> image->columns=iris_info.columns;
> image->rows=iris_info.rows;
> ...
> bytes_per_pixel=(size_t) iris_info.bytes_per_pixel;
> number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows;
> ...
> iris_pixels=(unsigned char *)AcquireMagickMemory
> (4*bytes_per_pixel*iris_info.columns*iris_info.rows);
>
> We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel
> value. Allocation of memory to "iris_pixels" is based on this values.
> When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc not
> enough memory for next operations, and cause heap overflow.
Regards,
Daniel.
Powered by blists - more mailing lists