Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

infinite loop in ReadBMPImage of bmp.c #1337

Closed
3 tasks done
galycannon opened this issue Oct 5, 2018 · 4 comments
Closed
3 tasks done

infinite loop in ReadBMPImage of bmp.c #1337

galycannon opened this issue Oct 5, 2018 · 4 comments
Labels

Comments

@galycannon
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

The following code will trigger an infinite loop when open the poc file which
take up a lot of memory and cpu. There is a risk of dos.

do
  {
    PixelInfo
      quantum_bits;

    PixelPacket
      shift;

    /*
      Verify BMP identifier.
    */
    ...
    ...
    /*
      Proceed to next image.
    */
    if (image_info->number_scenes != 0)
      if (image->scene >= (image_info->scene+image_info->number_scenes-1))
        break;
    *magick='\0';
    if (bmp_info.ba_offset != 0)
      {
        offset=SeekBlob(image,(MagickOffsetType) bmp_info.ba_offset,SEEK_SET);
        if (offset < 0)
          ThrowReaderException(CorruptImageError,"ImproperImageHeader");
      }
    count=ReadBlob(image,2,magick);
    if ((count == 2) && (IsBMP(magick,2) != MagickFalse))
      {
        /*
          Acquire next image structure.
        */
        AcquireNextImage(image_info,image,exception);
        if (GetNextImageInList(image) == (Image *) NULL)
          {
            status=MagickFalse;
            return((Image *) NULL);
          }
        image=SyncNextImageInList(image);
        status=SetImageProgress(image,LoadImagesTag,TellBlob(image),
          GetBlobSize(image));
        if (status == MagickFalse)
          break;
      }
  } while (IsBMP(magick,2) != MagickFalse);

Steps to Reproduce

poc
magick convert $poc /dev/null

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-13 Q16 x86_64 2018-10-04 https://imagemagick.org
    Copyright: © 1999-2018 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Linux test-virtual-machine 4.4.0-31-generic (IM7) Fixed TR/TD placement in MVG docs #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • Additional information:
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Oct 6, 2018
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Oct 7, 2018
@dlemstra dlemstra closed this as completed Oct 7, 2018
@fgeek
Copy link

fgeek commented Oct 8, 2018

This bug item is so elite! =)

@nohmask
Copy link

nohmask commented Oct 9, 2018

This was assigned CVE-2018-18024.

@RootUp
Copy link

RootUp commented Nov 10, 2018

Not sure but this still work's in
Version: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

6 participants