ImageMagick PSD Images Processing RLE Decoding Buffer Overflow

2014.02.12
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Good morning, Does anyone have further information about <http://secunia.com/advisories/56844/>? (I could not get the http://freecode.com/projects/imagemagick/tags/bugfixes link to show anything useful.) diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c: "" @@ -1224,7 +1224,7 @@ Allocate layered image. */ layer_info[i].image=CloneImage(image,layer_info[i].page.width, - layer_info[i].page.height == ~0U ? 1 : layer_info[i].page.height, + layer_info[i].page.height == ~0UL ? 1 : layer_info[i].page.height, MagickFalse,&image->exception); if (layer_info[i].image == (Image *) NULL) { @@ -2112,9 +2112,6 @@ StringInfo *bim_profile; - unsigned char - layer_name[4]; - /* Open image file. */ @@ -2372,12 +2369,15 @@ property=(const char *) GetImageProperty(next_image,"label"); if (property == (const char *) NULL) { + char + layer_name[MaxTextExtent]; + (void) WriteBlobMSBLong(image,16); (void) WriteBlobMSBLong(image,0); (void) WriteBlobMSBLong(image,0); - (void) FormatLocaleString((char *) layer_name,MaxTextExtent, - "L%06ld",(long) layer_count++); - WritePascalString( image, (char*)layer_name, 4 ); + (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long) + layer_count++); + WritePascalString(image,layer_name,4); } else { "" Would the issue have been writing the amount of 6 long ints into the 4 byte layer_name buffer? Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using "L%02ld" instead of "L%06ld", but that's still 4 bytes too many before the layer_name[MaxTextExtent]; change. Could a CVE please be assigned if it has not been already? Sorry for missing anything obvious. -- Murray McAllister / Red Hat Security Response Team

References:

http://secunia.com/advisories/56844/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top