Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Excessive iteration in DecodeLabImage and EncodeLabImage (src/coders/tiff.c) #1072

Closed
traceprobe opened this issue Mar 29, 2018 · 1 comment

Comments

@traceprobe
Copy link

Version: ImageMagick 7.0.7-26 Q16 x86_64 2018-03-29
Commit: 8ea06c4
OS: Linux test 3.10.0-693.21.1.el7.x86_64 #1 SMP Fri Feb 23 18:54:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

There is a excessive iteration in DecodeLabImage and EncodeLabImage function of src/coders/tiff.c file, which could be triggered by the POC below.

The issue happens since DecodeLabImage and EncodeLabImage assume legitimate values of image->rows and image->columns. Once such values are manipulated to be large, imagemagick hangs: Imagemagick spends more than ten minutes to process the POC, which is only 108 bytes.

To reproduce the issue: run ./mogrify $POC
POC is attached.
imagemagick_7-0-7_mogrify_excessive-iteration_DecodeLabImage.tiff.zip

Stack trace when imagemagick is in DecodeLabImage loop:
#0 0x00007fe826f6ebac in DecodeLabImage (image=image@entry=0x62700001f900, exception=exception@entry=0x606000000fe0)
at /u/test/test/product/imagemagick/master/src/MagickCore/pixel-accessor.h:626
#1 0x00007fe826f83681 in ReadTIFFImage (image_info=, exception=)
at /u/test/test/product/imagemagick/master/src/coders/tiff.c:2222
#2 0x00007fe82618166c in ReadImage (image_info=image_info@entry=0x627000007100, exception=exception@entry=0x606000000fe0)
at /u/test/test/product/imagemagick/master/src/MagickCore/constitute.c:497
#3 0x00007fe8261857e5 in ReadImages (image_info=image_info@entry=0x627000003900, filename=filename@entry=0x60b0000005c0 "/u/test/test/fuzz/ncimagemagick/output/poc/id:000001,sig:06,src:000000,op:replay,rep:13.tiff", exception=exception@entry=0x606000000fe0)
at /u/test/test/product/imagemagick/master/src/MagickCore/constitute.c:867
#4 0x00007fe825a1dd6e in MogrifyImageCommand (image_info=0x627000003900, argc=, argv=, wand_unused_metadata=, exception=) at /u/test/test/product/imagemagick/master/src/MagickWand/mogrify.c:3945
#5 0x00007fe8259ea660 in MagickCommandGenesis (image_info=image_info@entry=0x627000000100, command=, argc=argc@entry=2, argv=, metadata=, exception=exception@entry=0x606000000fe0) at /u/test/test/product/imagemagick/master/src/MagickWand/mogrify.c:183
#6 0x0000000000402668 in MagickMain (argc=2, argv=) at /u/test/test/product/imagemagick/master/src/utilities/magick.c:149
#7 0x00007fe81f8c2c05 in __libc_start_main () at /usr/lib64/libc.so.6
#8 0x0000000000401ac2 in _start ()

@nohmask
Copy link

nohmask commented Apr 2, 2018

This was assigned CVE-2018-9133.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants