You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In latest commit of ImageMagick, there is an infinite loop in ReadOneMNGImage function of src/coders/png.c file, which could be triggered by the attached POC.
The issue is in the following loop, and seems that image_info is never updated inside the loop (line 7428).
Environment (Operating system, version and so on): Linux test 4.4.0-45-generic Preserving image properties on write #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Stack Trace:
#0 0x00007ffff6cafc34 in __GI___fxstat (vers=<optimized out>, fd=3, buf=0x632ac8) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:35
#1 0x00007ffff765af9d in GetBlobSize (image=0x62ca40) at /home/test/test/imagemagick/master/src/MagickCore/blob.c:1715
#2 0x00007ffff79d8a37 in ReadOneMNGImage (mng_info=0x637380, image_info=0x620b90, exception=0x614d00)
at /home/test/test/imagemagick/master/src/coders/png.c:5422
#3 0x00007ffff79e0123 in ReadMNGImage (image_info=0x620b90, exception=0x614d00) at /home/test/test/imagemagick/master/src/coders/png.c:7711
#4 0x00007ffff76a1d0c in ReadImage (image_info=0x61d830, exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:500
#5 0x00007ffff76a340b in ReadImages (image_info=0x61a540, filename=0x615c50 "id000003.mng", exception=0x614d00)
at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:870
#6 0x00007ffff721840e in ConvertImageCommand (image_info=0x61a540, argc=3, argv=0x615b90, metadata=0x7fffffffbcc0, exception=0x614d00)
at /home/test/test/imagemagick/master/src/MagickWand/convert.c:641
#7 0x00007ffff72eb052 in MagickCommandGenesis (image_info=0x617250, command=0x400fb0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe038, metadata=0x0,
exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickWand/mogrify.c:183
#8 0x0000000000401311 in MagickMain (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:149
#9 0x0000000000401448 in main (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:180
Commit: 11a3594
Description
In latest commit of ImageMagick, there is an infinite loop in ReadOneMNGImage function of src/coders/png.c file, which could be triggered by the attached POC.
The issue is in the following loop, and seems that image_info is never updated inside the loop (line 7428).
5244 static Image ReadOneMNGImage(MngInfo mng_info, const ImageInfo *image_info,
5245 ExceptionInfo *exception)
5246 {
...
5388 do
5389 {
...
7428 } while (LocaleCompare(image_info->magick,"MNG") == 0);
Steps to Reproduce
System Configuration
Stack Trace:
imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng.zip
The text was updated successfully, but these errors were encountered: