Hi there, a quick look at two of the codecs from ImageMagick 6.2.8 revealed some missing bounds checks. The sun bitmap decoder is vulnerable to multiple heap buffer overflows due to the absence of bounds checking and unchecked arithmetic operations on attacker supplied values. The DecodeImage() routine from sun.c, line ~170 performs absolutely no bounds checking on the inner rle decoding loop, allowing an attacker to use a runlength encoded payload to overflow the destination buffer. ReadSUNImage() from sun.c, line ~206, performs no range checking on attacker supplied values before using them in arithmetic operations used to allocate memory for decoded image data. A particularly favourable heap layout (callbacks/function pointers easily within reach) results in a trivially exploitable heap overflow. line 299: bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16; sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height); line ~382: sun_data=(unsigned char *) AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data)); The xcf "GIMP Image" decoder suffers from multiple buffer overflows, including a heap and a stack overflow. Both of these are exploitable to execute arbitrary code by supplying an malformed image. The stack buffer overflow is in the PROP_USER_UNIT handling, line ~1097 of xcf.c, where a fixed 1000 byte stack buffer receives a string of length specified by an attacker via the ReadBlobStringWithLongSize() function. The same non-bounds-checking function is used to read the Layer Name onto a heap buffer. This vulnerability also looks exploitable. Possible fix and testcases attached. I'll suggest Tuesday 22nd of August as an embargo data, if there are no objections I'll forward these details to the upstream maintainers. Please credit "Tavis Ormandy, Google Security Team" in any advisories relating to these issues. Thanks, Tavis.
Created attachment 93968 [details, diff] imagemagick-6.2.8-goo-sec.diff
Created attachment 93969 [details] imagemagick-sun-raster-demo.bmp
Created attachment 93970 [details] imagemagick-xcf-codec-demo.jpg
Karol sorry for the late CC on this one. It should be public but I haven't seen any announcements yet.
Public since a while. This bug was opened before #144854 so i mark the other one as dup of this one. Hi Karol, please advise :)
*** Bug 144854 has been marked as a duplicate of this bug. ***
sekretarz, any news on this one?
Pulling in graphics herd for advise.
-dev mailed for assistance.
6.2.9.5 now in portage
Handling stable marking of 6.2.9.5 on bug #144091
GLSA 200609-14