Overflow.pl Security Advisory #7
ImageMagick ReadSGIImage() Heap Overflow
Vendor: ImageMagick (http://www.imagemagick.org)
Affected version: 6.x up to and including 6.2.8
Vendor status: Fixed version released (6.2.9)
Author: Damian Put <pucik (at) overflow (dot) pl [email concealed]>
URL: http://www.overflow.pl/adv/imsgiheap.txt
Date: 14.08.2006
1. Background
ImageMagick is a free software suite to create, edit, and compose bitmap images.
It can read, convert and write images in a large variety of formats.
http://www.imagemagick.org
2. Description
Remote exploitation of a heap overflow vulnerability could allow execution of
arbitrary code or couse denial of service.
A heap overflow exists in ReadSGIImage() function, that is used to
decode a SGI image file. The vulnerable code is:
coders/sgi.c:
static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image);
...
image->columns=iris_info.columns;
image->rows=iris_info.rows;
...
bytes_per_pixel=(size_t) iris_info.bytes_per_pixel;
number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows;
...
iris_pixels=(unsigned char *)AcquireMagickMemory
(4*bytes_per_pixel*iris_info.columns*iris_info.rows);
We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel
value. Allocation of memory to "iris_pixels" is based on this values.
When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc not
enough memory for next operations, and cause heap overflow.
3. PoC
Example crafted SGI file: http://overflow.pl/poc/imheap.sgi
[pucik@overflow ImageMagick-6.2.8]$ display imheap.sgi
*** glibc detected *** free(): invalid next size (fast): 0x08055dd0 ***
Abort (core dumped)
[pucik@overflow ImageMagick-6.2.8]$
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum