oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2016-6823 - ImageMagick BMP Coder Out-Of-Bounds Write Vulnerability

From: pwchen(陈佩文) <pwchen () tencent com>
Date: Mon, 26 Sep 2016 05:17:41 +0000
Hi.

This is PwChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab.

During our research, we found an Out-Of-Bounds write vulnerability in
ImageMagick's BMP coders.

When ImageMagick is converting other format to BMP format, it will
pass image's height and width parameter into 'BMP coder'.

There is an arithmetic overflow vulnerability when the BMP coder is
calculating the image size by multiplying the height and width. This
can directly cause an Out-Of-Bounds Write.

The ImageMagick team has fixed the vulnerability we reported.

Attached is a proof of concept.

python -c 'print "P3\x0a14096\x201048576\x0a255\x00"' > PoC.ppm
convert PoC.ppm crash.bmp


Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/e7094d16cd8aee6bb48cf1d369f617f7edf89993
https://github.com/ImageMagick/ImageMagick/commit/4cc6ec8a4197d4c008577127736bf7985d632323

Debian Bug report:
https://bugs.debian.org/834504


Regards,
Peiwen Chen
Tencent's Xuanwu Lab
Previous By Date Next
Previous By Thread Next

Current thread: