Bugtraq mailing list archives
Re: [Overflow.pl] ImageMagick ReadSGIImage() Heap Overflow
From: Daniel Kobras <kobras () debian org>
Date: Wed, 16 Aug 2006 16:32:03 +0000 (UTC)
Damian Put <pucik <at> overflow.pl> writes:
Vendor: ImageMagick (http://www.imagemagick.org) Affected version: 6.x up to and including 6.2.8 Vendor status: Fixed version released (6.2.9)
There are some whitespace changes between 6.2.8 and 6.2.9 as well as a fix for what looks like a different vulnerability (affecting run-length encoded images only, but from what I can tell, 6.2.9 still suffers from the flaw you described below. Can you please clarify why you claim 6.2.9 to be fixed?
A heap overflow exists in ReadSGIImage() function, that is used to decode a SGI image file. The vulnerable code is: coders/sgi.c: static Image *ReadSGIImage(const ImageInfo *image_info, ExceptionInfo *exception) { ... iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image); ... image->columns=iris_info.columns; image->rows=iris_info.rows; ... bytes_per_pixel=(size_t) iris_info.bytes_per_pixel; number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows; ... iris_pixels=(unsigned char *)AcquireMagickMemory (4*bytes_per_pixel*iris_info.columns*iris_info.rows); We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel value. Allocation of memory to "iris_pixels" is based on this values. When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc not enough memory for next operations, and cause heap overflow.
Regards, Daniel.
Current thread:
- [Overflow.pl] ImageMagick ReadSGIImage() Heap Overflow Damian Put (Aug 14)
- Re: [Overflow.pl] ImageMagick ReadSGIImage() Heap Overflow Daniel Kobras (Aug 16)