ImageMagick heap use-after-free in RenderFreetype

2017.10.10
Credit: NOIRFATE
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Version : ImageMagick 7.0.7-4 Q16 x86_64 2017-09-22 http://www.imagemagick.org In order to reproduce this bug, need to build ImageMagick and Freetype2 with ASAN. Add a crafted font in ~/.config/ImageMagick/type.xml <type format="ttf" name="test" fullname="Z003 Medium Italic" family="Z003" glyphs="/root/out/crashes/test.ttf" /> The crafted font file : https://github.com/noirfate/test/blob/master/test1.ttf After have added the crafted font, run : magick -background lightblue -fill blue -font test -size 480x360 caption:hello world 1.gif ASAN would report : ==3531==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000092a0 at pc 0x7f31ab1cc934 bp 0x7ffd03c83330 sp 0x7ffd03c83328 READ of size 8 at 0x6080000092a0 thread T0 #0 0x7f31ab1cc933 in FT_Done_Glyph /root/dep_src/freetype2/src/base/ftglyph.c:637:46 #1 0x7f31ac530d4c in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1797:7 #2 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10 #3 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10 #4 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12 #5 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11 #6 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13 #7 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9 #8 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22 #9 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7 #10 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13 #11 0x7f31abe853e0 in MagickImageCommand /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:794:5 #12 0x7f31abeb7ad7 in MagickCommandGenesis /root/dep_src/ImageMagick-master/MagickWand/mogrify.c:183:14 #13 0x4ee16d in MagickMain /root/dep_src/ImageMagick-master/utilities/magick.c:149:10 #14 0x4ee16d in main /root/dep_src/ImageMagick-master/utilities/magick.c:180 #15 0x7f31a30f482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #16 0x41a2d8 in _start (/root/deps/bin/magick+0x41a2d8) 0x6080000092a0 is located 0 bytes inside of 88-byte region [0x6080000092a0,0x6080000092f8) freed by thread T0 here: #0 0x4c0c8b in __interceptor_free /home/snd-local/releases/4.0.1/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 #1 0x7f31ac530ad0 in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1772:5 #2 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10 #3 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10 #4 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12 #5 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11 #6 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13 #7 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9 #8 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22 #9 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7 #10 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13 previously allocated by thread T0 here: #0 0x4c0fdc in __interceptor_malloc /home/snd-local/releases/4.0.1/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x7f31ab1952e2 in ft_mem_qalloc /root/dep_src/freetype2/src/base/ftutil.c:76:15 #2 0x7f31ab1952e2 in ft_mem_alloc /root/dep_src/freetype2/src/base/ftutil.c:55 #3 0x7f31ac52f508 in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1613:15 #4 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10 #5 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10 #6 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12 #7 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11 #8 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13 #9 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9 #10 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22 #11 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7 #12 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13 After I took a look at the code, I think it maybe caused by calling FT_Done_Glyph multiple times. First when last_glyph.id != 0, it will enter the if condition annotate.c:1762 if (last_glyph.id != 0) FT_Done_Glyph(last_glyph.image); last_glyph=glyph; code=GetUTFCode(p+grapheme[i].cluster); } Thus last_glyph is equal to glyph. And then, in some cases, it will call FT_Done_Glyph(last_glyph.image) and FT_Done_Glyph(glyph.image) both. Since last_glyph = glyph, the last call will trigger this bug. if (last_glyph.id != 0) FT_Done_Glyph(last_glyph.image); /* Determine font metrics. */ glyph.id=FT_Get_Char_Index(face,'_'); glyph.origin=origin; ft_status=FT_Load_Glyph(face,glyph.id,flags); if (ft_status == 0) { ... FT_Done_Glyph(glyph.image); }

References:

https://github.com/noirfate/test/blob/master/test1.ttf
https://github.com/ImageMagick/ImageMagick/issues/781


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top