(image->rows-y-1)*bytes_per_line may be much larger than dib_info.image_size,it will cause an out of bounds write bug in line 1304 of coders/dib.c
To reproduce this problem:
$ ./magick convert ./poc output.dib
ASAN:DEADLYSIGNAL
=================================================================
==67068==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8b1c500000 (pc 0x7f8a2b95b4d7 bp 0x7ffd6d84e630 sp 0x7ffd6d84e4c0 T0)
==67068==The signal is caused by a WRITE memory access.
#0 0x7f8a2b95b4d6 in WriteDIBImage coders/dib.c:1304
#1 0x7f8a2b4f6a40 in WriteImage MagickCore/constitute.c:1124
#2 0x7f8a2b4f771f in WriteImages MagickCore/constitute.c:1338
#3 0x7f8a2ad15ba9 in ConvertImageCommand MagickWand/convert.c:3280
#4 0x7f8a2ae1a1db in MagickCommandGenesis MagickWand/mogrify.c:183
#5 0x557166df5ec0 in MagickMain utilities/magick.c:149
#6 0x557166df6146 in main utilities/magick.c:180
#7 0x7f8a2a578b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x557166df5939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/dib.c:1304 in WriteDIBImage
==67068==ABORTING
Debugging information:
Breakpoint 1, WriteDIBImage (image_info=0x627000042900, image=0x627000026900,
exception=0x60600000ddc0) at coders/dib.c:1301
1301 q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p dib_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb)
Prerequisites
Description
Similar to #1177, the dib_info.image_size in coders/dib.c may cause an out of bounds write bug
Steps to Reproduce
(image->rows-y-1)*bytes_per_line may be much larger than dib_info.image_size,it will cause an out of bounds write bug in line 1304 of coders/dib.c
To reproduce this problem:
Debugging information:
POC
poc.zip
System Configuration
Credit:
Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
The text was updated successfully, but these errors were encountered: