Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop in ReadOneMNGImage (src/coders/png.c) #1095

Closed
traceprobe opened this issue Apr 16, 2018 · 4 comments
Closed

Infinite loop in ReadOneMNGImage (src/coders/png.c) #1095

traceprobe opened this issue Apr 16, 2018 · 4 comments
Labels
bug

Comments

@traceprobe
Copy link

traceprobe commented Apr 16, 2018
edited by dlemstra
Loading

Commit: 11a3594

Description

In latest commit of ImageMagick, there is an infinite loop in ReadOneMNGImage function of src/coders/png.c file, which could be triggered by the attached POC.

The issue is in the following loop, and seems that image_info is never updated inside the loop (line 7428).

5244 static Image ReadOneMNGImage(MngInfo mng_info, const ImageInfo *image_info,
5245 ExceptionInfo *exception)
5246 {
...
5388 do
5389 {
...
7428 } while (LocaleCompare(image_info->magick,"MNG") == 0);

Steps to Reproduce

  1. install libpng
  2. checkout commit 11a3594 of ImageMagick;
  3. compile ImageMagick and run: ./bin/convert $POC /tmp/null.png.

System Configuration

Stack Trace:

#0  0x00007ffff6cafc34 in __GI___fxstat (vers=<optimized out>, fd=3, buf=0x632ac8) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:35
#1  0x00007ffff765af9d in GetBlobSize (image=0x62ca40) at /home/test/test/imagemagick/master/src/MagickCore/blob.c:1715
#2  0x00007ffff79d8a37 in ReadOneMNGImage (mng_info=0x637380, image_info=0x620b90, exception=0x614d00)
    at /home/test/test/imagemagick/master/src/coders/png.c:5422
#3  0x00007ffff79e0123 in ReadMNGImage (image_info=0x620b90, exception=0x614d00) at /home/test/test/imagemagick/master/src/coders/png.c:7711
#4  0x00007ffff76a1d0c in ReadImage (image_info=0x61d830, exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:500
#5  0x00007ffff76a340b in ReadImages (image_info=0x61a540, filename=0x615c50 "id000003.mng", exception=0x614d00)
    at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:870
#6  0x00007ffff721840e in ConvertImageCommand (image_info=0x61a540, argc=3, argv=0x615b90, metadata=0x7fffffffbcc0, exception=0x614d00)
    at /home/test/test/imagemagick/master/src/MagickWand/convert.c:641
#7  0x00007ffff72eb052 in MagickCommandGenesis (image_info=0x617250, command=0x400fb0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe038, metadata=0x0, 
    exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickWand/mogrify.c:183
#8  0x0000000000401311 in MagickMain (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:149
#9  0x0000000000401448 in main (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:180

imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng.zip
@nohmask
Copy link

nohmask commented Apr 17, 2018

This was assigned CVE-2018-10177.

dlemstra pushed a commit that referenced this issue Apr 17, 2018
Fixed infinite loop (#1095).
9fdda63
@dlemstra dlemstra added the bug label Apr 17, 2018
@dlemstra
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@bastien-roucaries
Copy link

Do you have the im6 commit ?

@dlemstra
Copy link
Member

ImageMagick/ImageMagick6@9eda4b3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bastien-roucaries @dlemstra @nohmask @traceprobe