Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a potential out-of-bound write bug in function InsertRow (coders/cut.c). #1162

Closed
Young-X opened this issue Jun 1, 2018 · 2 comments
Labels

Comments

@Young-X
Copy link

Young-X commented Jun 1, 2018

Prerequisites

  • [ Y] I have written a descriptive issue title
  • [ Y] I have verified that I am using the latest version of ImageMagick
  • [ Y] I have searched open and closed issues to ensure it has not already been reported

Description

There is a vulnerability named CVE-2016-7526. Below is the detailed information about the vulnerability.
DESCRIPTION of CVE-2016-7526
coders/wpg.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file.
ISSUE of CVE-2016-7526
#102
PATCH of CVE-2016-7526
b6ae2f9
d9b2209

As we can see from the patch information, there was a fix in InsertRow in coders/wpg.c. And it is similar to InsertRow in coders/cuts.c.

 -        for (x=0; x < ((ssize_t) image->columns-1); x+=2)
 +        for (x=0; x < ((ssize_t) image->columns-1); x+=4)

(b6ae2f9)

         if (q == (PixelPacket *) NULL)
            break;
          indexes=GetAuthenticIndexQueue(image);
 -        for (x=0; x < ((ssize_t) image->columns-1); x+=4)
 +        for (x=0; x < ((ssize_t) image->columns-3); x+=4)
          {
              index=ConstrainColormapIndex(image,(*p >> 6) & 0x3);
              SetPixelIndex(indexes+x,index);
 @@ -342,24 +342,22 @@ static void InsertRow(unsigned char *p,ssize_t y,Image *image, int bpp)
              index=ConstrainColormapIndex(image,(*p) & 0x3);
              SetPixelIndex(indexes+x+1,index);
              SetPixelRGBO(q,image->colormap+(ssize_t) index);
 -            p++;
              q++;
 +            p++;
          }
         if ((image->columns % 4) != 0)
            {
              index=ConstrainColormapIndex(image,(*p >> 6) & 0x3);
              SetPixelIndex(indexes+x,index);
              SetPixelRGBO(q,image->colormap+(ssize_t) index);
              q++;
 -            if ((image->columns % 4) >= 1)
 -
 +            if ((image->columns % 4) > 1)
                {
                  index=ConstrainColormapIndex(image,(*p >> 4) & 0x3);
                  SetPixelIndex(indexes+x,index);
                  SetPixelRGBO(q,image->colormap+(ssize_t) index);
                  q++;
 -                if ((image->columns % 4) >= 2)
 -
 +                if ((image->columns % 4) > 2)

d9b2209

140: for (x=0; x < ((ssize_t) image->columns-1); x+=2)
(https://github.com/ImageMagick/ImageMagick/blob/master/coders/cut.c)

So, I think there should be a fix in InserRow in coders/cut.c.

Steps to Reproduce

System Configuration

  • ImageMagick version:
  • Environment (Operating system, version and so on):
  • Additional information:
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jun 2, 2018
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Sep 7, 2018

This was assigned CVE-2018-16642.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants