You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(image->rows-y-1)*bytes_per_line may be much larger than dib_info.image_size,it will cause an out of bounds write bug in line 1304 of coders/dib.c
To reproduce this problem:
$ ./magick convert ./poc output.dib
ASAN:DEADLYSIGNAL
=================================================================
==67068==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8b1c500000 (pc 0x7f8a2b95b4d7 bp 0x7ffd6d84e630 sp 0x7ffd6d84e4c0 T0)
==67068==The signal is caused by a WRITE memory access.
#0 0x7f8a2b95b4d6 in WriteDIBImage coders/dib.c:1304
#1 0x7f8a2b4f6a40 in WriteImage MagickCore/constitute.c:1124
#2 0x7f8a2b4f771f in WriteImages MagickCore/constitute.c:1338
#3 0x7f8a2ad15ba9 in ConvertImageCommand MagickWand/convert.c:3280
#4 0x7f8a2ae1a1db in MagickCommandGenesis MagickWand/mogrify.c:183
#5 0x557166df5ec0 in MagickMain utilities/magick.c:149
#6 0x557166df6146 in main utilities/magick.c:180
#7 0x7f8a2a578b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x557166df5939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/dib.c:1304 in WriteDIBImage
==67068==ABORTING
Debugging information:
Breakpoint 1, WriteDIBImage (image_info=0x627000042900, image=0x627000026900,
exception=0x60600000ddc0) at coders/dib.c:1301
1301 q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p dib_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb)
Prerequisites
Description
Similar to #1177, the dib_info.image_size in coders/dib.c may cause an out of bounds write bug
Steps to Reproduce
(image->rows-y-1)*bytes_per_line may be much larger than dib_info.image_size,it will cause an out of bounds write bug in line 1304 of coders/dib.c
To reproduce this problem:
Debugging information:
POC
poc.zip
System Configuration
Credit:
Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
The text was updated successfully, but these errors were encountered: