Skip to content

Potential Out-of-memory in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c. #1268

Closed
@YangY-Xiao

Description

@YangY-Xiao

Prerequisites

  • [ Y ] I have written a descriptive issue title
  • [ Y ] I have verified that I am using the latest version of ImageMagick
  • [ Y ] I have searched open and closed issues to ensure it has not already been reported

Description

There are two missing check for number_colors in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c, which may lead to out-of-memory vulnerability.

 655         bmp_info.width=(ssize_t) ReadBlobLSBSignedLong(image);
 656         bmp_info.height=(ssize_t) ReadBlobLSBSignedLong(image);
 657         bmp_info.planes=ReadBlobLSBShort(image);
 658         bmp_info.bits_per_pixel=ReadBlobLSBShort(image);
 659         bmp_info.compression=ReadBlobLSBLong(image);
 660         bmp_info.image_size=ReadBlobLSBLong(image);
 661         bmp_info.x_pixels=ReadBlobLSBLong(image);
 662         bmp_info.y_pixels=ReadBlobLSBLong(image);
 663         bmp_info.number_colors=ReadBlobLSBLong(image);
 664         bmp_info.colors_important=ReadBlobLSBLong(image);
 528   dib_info.width=ReadBlobLSBSignedLong(image);
 529   dib_info.height=ReadBlobLSBSignedLong(image);
 530   dib_info.planes=ReadBlobLSBShort(image);
 531   dib_info.bits_per_pixel=ReadBlobLSBShort(image);
 532   if (dib_info.bits_per_pixel > 32)
 533     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
 534   dib_info.compression=ReadBlobLSBLong(image);
 535   dib_info.image_size=ReadBlobLSBLong(image);
 536   dib_info.x_pixels=ReadBlobLSBLong(image);
 537   dib_info.y_pixels=ReadBlobLSBLong(image);
 538   dib_info.number_colors=ReadBlobLSBLong(image);
 539   dib_info.colors_important=ReadBlobLSBLong(image);
 540   if ((dib_info.bits_per_pixel != 1) && (dib_info.bits_per_pixel != 4) &&
 541       (dib_info.bits_per_pixel != 8) && (dib_info.bits_per_pixel != 16) &&
 542       (dib_info.bits_per_pixel != 24) && (dib_info.bits_per_pixel != 32))
 543     ThrowReaderException(CorruptImageError,"ImproperImageHeader");

The patch for bmp and dib is similar. Below is the proposal patch for bmp.c.

        bmp_info.width=(ssize_t) ReadBlobLSBSignedLong(image);
        bmp_info.height=(ssize_t) ReadBlobLSBSignedLong(image);
        bmp_info.planes=ReadBlobLSBShort(image);
        bmp_info.bits_per_pixel=ReadBlobLSBShort(image);
        bmp_info.compression=ReadBlobLSBLong(image);
        bmp_info.image_size=ReadBlobLSBLong(image);
        bmp_info.x_pixels=ReadBlobLSBLong(image);
        bmp_info.y_pixels=ReadBlobLSBLong(image);
        bmp_info.number_colors=ReadBlobLSBLong(image);
+      if (bmp_info.number_colors > GetBlobSize(image))
+          ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
        bmp_info.colors_important=ReadBlobLSBLong(image);

  • ImageMagick version: latest version

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions