You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(image->rows-y-1)*bytes_per_line may be much larger than bmp_info.image_size,it will cause an out of bounds write bug in line 2061 of coders/bmp.c
To reproduce this problem:
$ ./magick convert ./poc output.bmp
ASAN:DEADLYSIGNAL
=================================================================
==67082==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6c2daff800 (pc 0x7f6b3cfcc33b bp 0x7ffd57579e40 sp 0x7ffd57579c20 T0)
==67082==The signal is caused by a WRITE memory access.
#0 0x7f6b3cfcc33a in WriteBMPImage coders/bmp.c:2061
#1 0x7f6b3cbb2a40 in WriteImage MagickCore/constitute.c:1124
#2 0x7f6b3cbb371f in WriteImages MagickCore/constitute.c:1338
#3 0x7f6b3c3d1ba9 in ConvertImageCommand MagickWand/convert.c:3280
#4 0x7f6b3c4d61db in MagickCommandGenesis MagickWand/mogrify.c:183
#5 0x5610a1e0cec0 in MagickMain utilities/magick.c:149
#6 0x5610a1e0d146 in main utilities/magick.c:180
#7 0x7f6b3bc34b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x5610a1e0c939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/bmp.c:2061 in WriteBMPImage
==67082==ABORTING
Debugging information:
Breakpoint 1, WriteBMPImage (image_info=0x627000042900, image=0x627000026900,
exception=0x60600000ddc0) at coders/bmp.c:2058
2058 q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p bmp_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb)
Prerequisites
Description
Steps to Reproduce
(image->rows-y-1)*bytes_per_line may be much larger than bmp_info.image_size,it will cause an out of bounds write bug in line 2061 of coders/bmp.c
To reproduce this problem:
Debugging information:
POC
poc.zip
System Configuration
Credit:
Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
The text was updated successfully, but these errors were encountered: