CVE-2017-14103 / graphicsmagick
I manually created a patch - followup from CVE-2017-11403 - not to get
confused with this CVE-2017-14103 - for the wheezy version and applied
it. Then I found that the wheezy version crashes (with the exploit)
before it gets to this vulnerability in a busy read loop - both with and
without the patch:
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
read(3, "", 4096) = 0
I also noticed that this issue is marked as fixed in stretch:
=== cut ===
⌁ [brian:~] % gm convert /tmp/10.crashes.png /tmp/abc2.png
gm: magick/semaphore.c:606: LockSemaphoreInfo: Assertion `semaphore_info != (SemaphoreInfo *) NULL' failed.
gm convert: abort due to signal 6 (SIGABRT) "Abort"...
zsh: abort gm convert /tmp/10.crashes.png /tmp/abc2.png
=== cut ===
errr... that looks identical to the failure as described in
https://sourceforge.net/p/graphicsmagick/bugs/440/ to me.... Except
without extra loggin information.
sid appears to be OK:
=== cut ===
(sid-amd64-default)root@prune:/home/brian# gm convert /tmp/10.crashes.png /tmp/abc2.png
gm convert: Request did not return an image.
=== cut ===
For completeness I have attached my experimental patch against wheezy.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
--- a/coders/png.c
+++ b/coders/png.c
@@ -3112,15 +3112,23 @@
type[0],type[1],type[2],type[3],length);
if (length > PNG_MAX_UINT || count == 0)
- ThrowReaderException(CorruptImageError,CorruptImage,image);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "chunk length (%lu) > PNG_MAX_UINT",length);
+ return ((Image*)NULL);
+ }
+
chunk=(unsigned char *) NULL;
p=NULL;
if (length)
{
chunk=MagickAllocateMemory(unsigned char *,length);
if (chunk == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Could not allocate chunk memory");
+ return ((Image*)NULL);
+ }
for (i=0; i < (long) length; i++)
chunk[i]=ReadBlobByte(image);
p=chunk;
@@ -3204,14 +3212,19 @@
color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo));
if (color_image_info == (ImageInfo *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate color_image_info");
+ return ((Image *)NULL);
+ }
GetImageInfo(color_image_info);
color_image=AllocateImage(color_image_info);
if (color_image == (Image *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
-
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate color_image");
+ return ((Image *)NULL);
+ }
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Creating color_blob.");
@@ -3219,23 +3232,31 @@
status=OpenBlob(color_image_info,color_image,WriteBinaryBlobMode,
exception);
if (status == MagickFalse)
- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not open color_image blob");
+ return ((Image *)NULL);
+ }
+
if (!image_info->ping && jng_color_type >= 12)
{
alpha_image_info=MagickAllocateMemory(ImageInfo *,
sizeof(ImageInfo));
if (alpha_image_info == (ImageInfo *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image_info");
+ return ((Image *)NULL);
+ }
GetImageInfo(alpha_image_info);
alpha_image=AllocateImage(alpha_image_info);
if (alpha_image == (Image *) NULL)
{
DestroyImage(alpha_image);
- ThrowReaderException(ResourceLimitError,
- MemoryAllocationFailed,
- alpha_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image");
+ return ((Image *)NULL);
}
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3244,7 +3265,11 @@
status=OpenBlob(alpha_image_info,alpha_image,WriteBinaryBlobMode,
exception);
if (status == MagickFalse)
- ThrowReaderException(CoderError,UnableToOpenBlob,image);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not open alpha_image blob");
+ return ((Image *)NULL);
+ }
if (jng_alpha_compression_method == 0)
{
unsigned char
@@ -3314,8 +3339,7 @@
(void) WriteBlobMSBULong(alpha_image,
crc32(crc32(0,data,4),chunk,length));
}
- if (length)
- MagickFreeMemory(chunk);
+ MagickFreeMemory(chunk);
continue;
}
Reply to: