clone 414370 -1 retitle -1 graphicsmagick: Heap overflow in GrayscalePseudoClassImage() on 64bit archs. severity -1 grave tag -1 + security tag -1 + pending clone 414370 -2 retitle -2 graphicsmagick: Double free() when calling MagickReallocMemory() with zero size. severity -2 important tag -2 + pending clone 414370 -3 retitle -3 graphicsmagick: Heap overflow in VIFF coder. severity -3 grave tag -3 + security tag -3 + pending thanks
On Sun, Mar 11, 2007 at 03:53:05PM +0200, Sami Liedes wrote: > $ gm identify samples/segv.viff > *** glibc detected *** double free or corruption (fasttop): > 0x0000000000533970 *** > - Doesn't crash with -O0 (but I do get uses of uninitialized variables > at XYZTransformPacket (image.c:4946-4956). -O1 gives the above > message, but does not crash under valgrind (and reports only uses of > uninitialized mem) -> hard to debug :( The viff_pixels array can be overflown because of insufficient validation of the number_data_bands value in the input file. Might be exploitable. > $ gm identify samples/segv2.viff > *** glibc detected *** double free or corruption (fasttop): > 0x0000000000533970 *** Two issues here: The above error message is caused by a bug in MagickReallocMemory(). When called with a size argument of 0, it calls realloc(memory, 0), then free(memory), but--at least with the standard glibc allocator--realloc() has already freed the memory internally. Probably not a grave security problem in the end, but I haven't checked all code paths. Still a nuisance as the application usually hangs after the error message (due to what is said to be a glibc bug) until kill -9'ed. Trying to hunt down the above, I noticed a more severe problem, though. In GrayscalePseudoClassImage(), the colormap_index array is an array of int *. It is allocated as (number of items)*sizeof(int) instead of sizeof(int *), leaving the array half the required size on 64bit archs. This bug didn't cause the eventual crash, but looks like a security problem and might be exploitable. I'm currently preparing an upload fixing the three problems above, as well as the outstanding XWD bug #417862. Regards, Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
