Closed
Description
Prerequisites
- [ Y ] I have written a descriptive issue title
- [ Y ] I have verified that I am using the latest version of ImageMagick
- [ Y ] I have searched open and closed issues to ensure it has not already been reported
Description
There are two missing check for number_colors in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c, which may lead to out-of-memory vulnerability.
655 bmp_info.width=(ssize_t) ReadBlobLSBSignedLong(image);
656 bmp_info.height=(ssize_t) ReadBlobLSBSignedLong(image);
657 bmp_info.planes=ReadBlobLSBShort(image);
658 bmp_info.bits_per_pixel=ReadBlobLSBShort(image);
659 bmp_info.compression=ReadBlobLSBLong(image);
660 bmp_info.image_size=ReadBlobLSBLong(image);
661 bmp_info.x_pixels=ReadBlobLSBLong(image);
662 bmp_info.y_pixels=ReadBlobLSBLong(image);
663 bmp_info.number_colors=ReadBlobLSBLong(image);
664 bmp_info.colors_important=ReadBlobLSBLong(image);
528 dib_info.width=ReadBlobLSBSignedLong(image);
529 dib_info.height=ReadBlobLSBSignedLong(image);
530 dib_info.planes=ReadBlobLSBShort(image);
531 dib_info.bits_per_pixel=ReadBlobLSBShort(image);
532 if (dib_info.bits_per_pixel > 32)
533 ThrowReaderException(CorruptImageError,"ImproperImageHeader");
534 dib_info.compression=ReadBlobLSBLong(image);
535 dib_info.image_size=ReadBlobLSBLong(image);
536 dib_info.x_pixels=ReadBlobLSBLong(image);
537 dib_info.y_pixels=ReadBlobLSBLong(image);
538 dib_info.number_colors=ReadBlobLSBLong(image);
539 dib_info.colors_important=ReadBlobLSBLong(image);
540 if ((dib_info.bits_per_pixel != 1) && (dib_info.bits_per_pixel != 4) &&
541 (dib_info.bits_per_pixel != 8) && (dib_info.bits_per_pixel != 16) &&
542 (dib_info.bits_per_pixel != 24) && (dib_info.bits_per_pixel != 32))
543 ThrowReaderException(CorruptImageError,"ImproperImageHeader");
The patch for bmp and dib is similar. Below is the proposal patch for bmp.c.
bmp_info.width=(ssize_t) ReadBlobLSBSignedLong(image);
bmp_info.height=(ssize_t) ReadBlobLSBSignedLong(image);
bmp_info.planes=ReadBlobLSBShort(image);
bmp_info.bits_per_pixel=ReadBlobLSBShort(image);
bmp_info.compression=ReadBlobLSBLong(image);
bmp_info.image_size=ReadBlobLSBLong(image);
bmp_info.x_pixels=ReadBlobLSBLong(image);
bmp_info.y_pixels=ReadBlobLSBLong(image);
bmp_info.number_colors=ReadBlobLSBLong(image);
+ if (bmp_info.number_colors > GetBlobSize(image))
+ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
bmp_info.colors_important=ReadBlobLSBLong(image);
- ImageMagick version: latest version