CVE-2023-1906 - Heap-based Buffer Overflow in ImageMagick

As part of our security research efforts , we recently used AFL++ (American Fuzzy Lop) to fuzz test ImageMagick, an open-source software suite for creating, editing, and converting images. We compiled ImageMagick with afl-clang-fast and afl-clang-fast++, two powerful compilers built with ASan (Address Sanitizer), which can detect memory errors such as use-after-free, buffer overflows, and other issues.

After running the fuzzer for  24 hours, we discovered a crash in ImageMagick that was caused by a heap-based buffer overflow. This vulnerability, assigned CVE-2023-1906 / GHSA-35Q2-86C7-9247, could have potentially allowed an attacker to cause a denial of service condition or possibly an execution of arbitrary code.

To help other security researchers reproduce our findings and improve the security of ImageMagick, we wanted to share our steps for compiling ImageMagick with afl-clang-fast and afl-clang-fast++.

Here are the steps we followed:

  1. Install afl-clang-fast and afl-clang-fast++ :
    You can install these compilers by following the instructions on the AFL++ GitHub repository .

  2. Compile ImageMagick with afl-clang-fast and afl-clang-fast ++:
    To compile ImageMagick with afl-clang-fast and afl-clang-fast ++, you'll need to use the CC and CXX environment variables to specify the afl-clang-fast and afl-clang-fast ++ compilers. Here's an example command:

    AFL_USE_ASAN=1  CC=/usr/local/bin/afl-clang-fast CXX=/usr/local/bin/afl-clang-fast++ ./configure && make -j$(nproc)

  3. Generate test cases:
    To generate test cases for ImageMagick, we used AFL's afl-fuzz command by providing the initial corpus from this link. Here's an example command to generate test cases using AFL++ 's default settings:

    afl-fuzz -i /path/to/testcases -o /path/to/output -- /path/to/compiled/imagemagick @@

  4. Run the PoC crash file:
    After running the fuzzer for 24 hours, we discovered a crash in ImageMagick that was caused by a heap-based buffer overflow.

    Here's an example command to run the PoC crash file with the compiled ImageMagick:

   /path/to/compiled/imagemagick /path/to/PoC_crash_file

This issue was fixed on last weekend at commit and a update was released  as 7.1.1-6 version - We're sharing these steps in the hopes that other security researchers can use them to discover and report vulnerabilities in other C and C++ programs.

If you have any questions or feedback, please don't hesitate to reach out to me at .

Leave a comment