Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential Out-of-memory in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c. #1268

Closed
Young-X opened this issue Aug 27, 2018 · 3 comments
Labels

Comments

@Young-X
Copy link

Young-X commented Aug 27, 2018

Prerequisites

  • [ Y ] I have written a descriptive issue title
  • [ Y ] I have verified that I am using the latest version of ImageMagick
  • [ Y ] I have searched open and closed issues to ensure it has not already been reported

Description

There are two missing check for number_colors in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c, which may lead to out-of-memory vulnerability.

 655         bmp_info.width=(ssize_t) ReadBlobLSBSignedLong(image);
 656         bmp_info.height=(ssize_t) ReadBlobLSBSignedLong(image);
 657         bmp_info.planes=ReadBlobLSBShort(image);
 658         bmp_info.bits_per_pixel=ReadBlobLSBShort(image);
 659         bmp_info.compression=ReadBlobLSBLong(image);
 660         bmp_info.image_size=ReadBlobLSBLong(image);
 661         bmp_info.x_pixels=ReadBlobLSBLong(image);
 662         bmp_info.y_pixels=ReadBlobLSBLong(image);
 663         bmp_info.number_colors=ReadBlobLSBLong(image);
 664         bmp_info.colors_important=ReadBlobLSBLong(image);
 528   dib_info.width=ReadBlobLSBSignedLong(image);
 529   dib_info.height=ReadBlobLSBSignedLong(image);
 530   dib_info.planes=ReadBlobLSBShort(image);
 531   dib_info.bits_per_pixel=ReadBlobLSBShort(image);
 532   if (dib_info.bits_per_pixel > 32)
 533     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
 534   dib_info.compression=ReadBlobLSBLong(image);
 535   dib_info.image_size=ReadBlobLSBLong(image);
 536   dib_info.x_pixels=ReadBlobLSBLong(image);
 537   dib_info.y_pixels=ReadBlobLSBLong(image);
 538   dib_info.number_colors=ReadBlobLSBLong(image);
 539   dib_info.colors_important=ReadBlobLSBLong(image);
 540   if ((dib_info.bits_per_pixel != 1) && (dib_info.bits_per_pixel != 4) &&
 541       (dib_info.bits_per_pixel != 8) && (dib_info.bits_per_pixel != 16) &&
 542       (dib_info.bits_per_pixel != 24) && (dib_info.bits_per_pixel != 32))
 543     ThrowReaderException(CorruptImageError,"ImproperImageHeader");

The patch for bmp and dib is similar. Below is the proposal patch for bmp.c.

        bmp_info.width=(ssize_t) ReadBlobLSBSignedLong(image);
        bmp_info.height=(ssize_t) ReadBlobLSBSignedLong(image);
        bmp_info.planes=ReadBlobLSBShort(image);
        bmp_info.bits_per_pixel=ReadBlobLSBShort(image);
        bmp_info.compression=ReadBlobLSBLong(image);
        bmp_info.image_size=ReadBlobLSBLong(image);
        bmp_info.x_pixels=ReadBlobLSBLong(image);
        bmp_info.y_pixels=ReadBlobLSBLong(image);
        bmp_info.number_colors=ReadBlobLSBLong(image);
+      if (bmp_info.number_colors > GetBlobSize(image))
+          ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
        bmp_info.colors_important=ReadBlobLSBLong(image);

  • ImageMagick version: latest version
@urban-warrior
Copy link
Contributor

We applied your patch to the latest IM trunk. Thanks.

@dlemstra dlemstra added the bug label Aug 27, 2018
@nohmask
Copy link

nohmask commented Sep 7, 2018

This was assigned CVE-2018-16645.

@pgajdos
Copy link

pgajdos commented Sep 9, 2018

Hi Dirk (@dlemstra), will you fix this for dib.c, too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants