New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite loop in ReadOneMNGImage (src/coders/png.c) #1095

Closed
traceprobe opened this Issue Apr 16, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@traceprobe

traceprobe commented Apr 16, 2018

Commit: 11a3594

Description

In latest commit of ImageMagick, there is an infinite loop in ReadOneMNGImage function of src/coders/png.c file, which could be triggered by the attached POC.

The issue is in the following loop, and seems that image_info is never updated inside the loop (line 7428).

5244 static Image ReadOneMNGImage(MngInfo mng_info, const ImageInfo *image_info,
5245 ExceptionInfo *exception)
5246 {
...
5388 do
5389 {
...
7428 } while (LocaleCompare(image_info->magick,"MNG") == 0);

Steps to Reproduce

  1. install libpng
  2. checkout commit 11a3594 of ImageMagick;
  3. compile ImageMagick and run: ./bin/convert $POC /tmp/null.png.

System Configuration

  • ImageMagick version: 11a3594
  • Environment (Operating system, version and so on): Linux test 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Stack Trace:

#0  0x00007ffff6cafc34 in __GI___fxstat (vers=<optimized out>, fd=3, buf=0x632ac8) at ../sysdeps/unix/sysv/linux/wordsize-64/fxstat.c:35
#1  0x00007ffff765af9d in GetBlobSize (image=0x62ca40) at /home/test/test/imagemagick/master/src/MagickCore/blob.c:1715
#2  0x00007ffff79d8a37 in ReadOneMNGImage (mng_info=0x637380, image_info=0x620b90, exception=0x614d00)
    at /home/test/test/imagemagick/master/src/coders/png.c:5422
#3  0x00007ffff79e0123 in ReadMNGImage (image_info=0x620b90, exception=0x614d00) at /home/test/test/imagemagick/master/src/coders/png.c:7711
#4  0x00007ffff76a1d0c in ReadImage (image_info=0x61d830, exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:500
#5  0x00007ffff76a340b in ReadImages (image_info=0x61a540, filename=0x615c50 "id000003.mng", exception=0x614d00)
    at /home/test/test/imagemagick/master/src/MagickCore/constitute.c:870
#6  0x00007ffff721840e in ConvertImageCommand (image_info=0x61a540, argc=3, argv=0x615b90, metadata=0x7fffffffbcc0, exception=0x614d00)
    at /home/test/test/imagemagick/master/src/MagickWand/convert.c:641
#7  0x00007ffff72eb052 in MagickCommandGenesis (image_info=0x617250, command=0x400fb0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe038, metadata=0x0, 
    exception=0x614d00) at /home/test/test/imagemagick/master/src/MagickWand/mogrify.c:183
#8  0x0000000000401311 in MagickMain (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:149
#9  0x0000000000401448 in main (argc=3, argv=0x7fffffffe038) at /home/test/test/imagemagick/master/src/utilities/magick.c:180

imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng.zip

@nohmask

This comment has been minimized.

nohmask commented Apr 17, 2018

This was assigned CVE-2018-10177.

dlemstra added a commit that referenced this issue Apr 17, 2018

@dlemstra dlemstra added the bug label Apr 17, 2018

@dlemstra

This comment has been minimized.

Member

dlemstra commented Apr 17, 2018

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra closed this Apr 17, 2018

@bastien-roucaries

This comment has been minimized.

bastien-roucaries commented Jun 20, 2018

Do you have the im6 commit ?

@dlemstra

This comment has been minimized.

Member

dlemstra commented Jun 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment