In latest commit of ImageMagick, there is an infinite loop in ReadOneMNGImage function of src/coders/png.c file, which could be triggered by the attached POC.
The issue is in the following loop, and seems that image_info is never updated inside the loop (line 7428).
Environment (Operating system, version and so on): Linux test 4.4.0-45-generic Preserving image properties on write #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Stack Trace:
#0 0x00007ffff6cafc34 in __GI___fxstat (vers=<optimized out>, fd=3, buf=0x632ac8) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:35
#1 0x00007ffff765af9d in GetBlobSize (image=0x62ca40) at /home/test/test/imagemagick/master/src/MagickCore/blob.c:1715
#2 0x00007ffff79d8a37 in ReadOneMNGImage (mng_info=0x637380, image_info=0x620b90, exception=0x614d00)
at /home/test/test/imagemagick/master/src/coders/png.c:5422
#3 0x00007ffff79e0123 in ReadMNGImage (image_info=0x620b90, exception=0x614d00) at /home/test/test/imagemagick/master/src/coders/png.c:7711
#4 0x00007ffff76a1d0c in ReadImage (image_info=0x61d830, exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:500
#5 0x00007ffff76a340b in ReadImages (image_info=0x61a540, filename=0x615c50 "id000003.mng", exception=0x614d00)
at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:870
#6 0x00007ffff721840e in ConvertImageCommand (image_info=0x61a540, argc=3, argv=0x615b90, metadata=0x7fffffffbcc0, exception=0x614d00)
at /home/test/test/imagemagick/master/src/MagickWand/convert.c:641
#7 0x00007ffff72eb052 in MagickCommandGenesis (image_info=0x617250, command=0x400fb0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe038, metadata=0x0,
exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickWand/mogrify.c:183
#8 0x0000000000401311 in MagickMain (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:149
#9 0x0000000000401448 in main (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:180
Commit: 11a3594
Description
In latest commit of ImageMagick, there is an infinite loop in ReadOneMNGImage function of src/coders/png.c file, which could be triggered by the attached POC.
The issue is in the following loop, and seems that image_info is never updated inside the loop (line 7428).
5244 static Image ReadOneMNGImage(MngInfo mng_info, const ImageInfo *image_info,
5245 ExceptionInfo *exception)
5246 {
...
5388 do
5389 {
...
7428 } while (LocaleCompare(image_info->magick,"MNG") == 0);
Steps to Reproduce
System Configuration
Stack Trace:
imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng.zip
The text was updated successfully, but these errors were encountered: