Re: [Overflow.pl] ImageMagick ReadSGIImage() Heap Overflow

[Daniel Kobras <kobras@xxxxxxxxxx>]

Damian Put <pucik <at> overflow.pl> writes:

> Vendor: ImageMagick (http://www.imagemagick.org)
> Affected version: 6.x up to and including 6.2.8
> Vendor status: Fixed version released (6.2.9)

There are some whitespace changes between 6.2.8 and 6.2.9 as well
as a fix for what looks like a different vulnerability (affecting
run-length encoded images only, but from what I can tell, 6.2.9
still  suffers from the flaw you described below. Can you please
clarify why you claim 6.2.9 to be fixed?

> A heap overflow exists in ReadSGIImage() function, that is used to
> decode a SGI image file. The vulnerable code is:
> 
> coders/sgi.c:
> 
> static Image *ReadSGIImage(const ImageInfo *image_info,
> ExceptionInfo *exception)
> {
> ...
>     iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image);
> ...
>     image->columns=iris_info.columns;
>     image->rows=iris_info.rows;
> ...
>     bytes_per_pixel=(size_t) iris_info.bytes_per_pixel;
>     number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows;
> ...
>     iris_pixels=(unsigned char *)AcquireMagickMemory
> (4*bytes_per_pixel*iris_info.columns*iris_info.rows); 
> 
> We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel
> value. Allocation of memory to "iris_pixels" is based on this values.
> When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc not
> enough memory for next operations, and cause heap overflow.

Regards,

Daniel.