Closed
Description
Prerequisites
- [ Y] I have written a descriptive issue title
- [ Y] I have verified that I am using the latest version of ImageMagick
- [ Y] I have searched open and closed issues to ensure it has not already been reported
Description
There is a vulnerability named CVE-2016-7526. Below is the detailed information about the vulnerability.
DESCRIPTION of CVE-2016-7526
coders/wpg.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file.
ISSUE of CVE-2016-7526
#102
PATCH of CVE-2016-7526
b6ae2f9
d9b2209
As we can see from the patch information, there was a fix in InsertRow in coders/wpg.c. And it is similar to InsertRow in coders/cuts.c.
- for (x=0; x < ((ssize_t) image->columns-1); x+=2)
+ for (x=0; x < ((ssize_t) image->columns-1); x+=4)
(b6ae2f9)
if (q == (PixelPacket *) NULL)
break;
indexes=GetAuthenticIndexQueue(image);
- for (x=0; x < ((ssize_t) image->columns-1); x+=4)
+ for (x=0; x < ((ssize_t) image->columns-3); x+=4)
{
index=ConstrainColormapIndex(image,(*p >> 6) & 0x3);
SetPixelIndex(indexes+x,index);
@@ -342,24 +342,22 @@ static void InsertRow(unsigned char *p,ssize_t y,Image *image, int bpp)
index=ConstrainColormapIndex(image,(*p) & 0x3);
SetPixelIndex(indexes+x+1,index);
SetPixelRGBO(q,image->colormap+(ssize_t) index);
- p++;
q++;
+ p++;
}
if ((image->columns % 4) != 0)
{
index=ConstrainColormapIndex(image,(*p >> 6) & 0x3);
SetPixelIndex(indexes+x,index);
SetPixelRGBO(q,image->colormap+(ssize_t) index);
q++;
- if ((image->columns % 4) >= 1)
-
+ if ((image->columns % 4) > 1)
{
index=ConstrainColormapIndex(image,(*p >> 4) & 0x3);
SetPixelIndex(indexes+x,index);
SetPixelRGBO(q,image->colormap+(ssize_t) index);
q++;
- if ((image->columns % 4) >= 2)
-
+ if ((image->columns % 4) > 2)
140: for (x=0; x < ((ssize_t) image->columns-1); x+=2)
(https://github.com/ImageMagick/ImageMagick/blob/master/coders/cut.c)
So, I think there should be a fix in InserRow in coders/cut.c.
Steps to Reproduce
System Configuration
- ImageMagick version:
- Environment (Operating system, version and so on):
- Additional information: