Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Division by Zero at MagickCore/layer.c:1616 #1629

Closed
SuhwanSong opened this issue Jul 7, 2019 · 4 comments

Comments

@SuhwanSong
Copy link

commented Jul 7, 2019

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There's a division by zero at MagickCore/layer.c:1616:30

Steps to Reproduce

run following cmd:
magick "-seed" "0" "-delay" "34<" "(" "magick:rose" "+repage" ")" "(" "magick:rose" "+repage" ")" "-encoding" "Symbol" "-layers" "remove-dups" "-quiet" "tmp"

This is triggered at time = curr->delay*1000/curr->ticks_per_second; due to curr->ticks_per_second.

1605   for (; (next=GetNextImageInList(curr)) != (Image *) NULL; curr=next)
1606   { 
1607     if ( curr->columns != next->columns || curr->rows != next->rows
1608          || curr->page.x != next->page.x || curr->page.y != next->page.y )
1609       continue;
1610     bounds=CompareImagesBounds(curr,next,CompareAnyLayer,exception);
1611     if ( bounds.x < 0 ) {
1612       /*
1613         the two images are the same, merge time delays and delete one.
1614       */
1615       size_t time;
1616       time = curr->delay*1000/curr->ticks_per_second;
1617       time += next->delay*1000/next->ticks_per_second;
1618       next->ticks_per_second = 100L;
1619       next->delay = time*curr->ticks_per_second/1000;
1620       next->iterations = curr->iterations;
1621       *images = curr;
1622       (void) DeleteImageFromList(images);
1623     }
1624   }

Here's USAN log.

MagickCore/layer.c:1616:30: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/layer.c:1616:30 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==28916==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x7fe11baee9e7 bp 0x7ffc60e12250 sp 0x7ffc60e11ec0 T0)
    #0 0x7fe11baee9e6 in RemoveDuplicateLayers MagickCore/layer.c:1616:30
    #1 0x7fe11a2600a8 in CLIListOperatorImages MagickWand/operation.c:4266:15
    #2 0x7fe11a273102 in CLIOption MagickWand/operation.c:5308:14
    #3 0x7fe119c6aef4 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #4 0x7fe119c6dc54 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #5 0x7fe119d1400e in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #6 0x527976 in MagickMain utilities/magick.c:149:10
    #7 0x5268e1 in main utilities/magick.c:180:10
    #8 0x7fe113884b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41b069 in _start (install/bin/magick+0x41b069)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: UNKNOWN SIGNAL MagickCore/layer.c:1616:30 in RemoveDuplicateLayers
==28916==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-54 Q16 x86_64 2019-07-07 https://imagemagick.org

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information:
    CC=clang-7 CXX=clang++-7 CFLAGS="-fsanitize=address,undefined -g" CXXFLAGS="-fsanitize=address,undefined -g" ./configure --disable-openmp --without-png

urban-warrior pushed a commit that referenced this issue Jul 8, 2019

Cristy

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jul 8, 2019

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Jul 8, 2019

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added this to the 7.0.8-54 milestone Jul 8, 2019

@nohmask

This comment has been minimized.

Copy link

commented Jul 10, 2019

This was assigned CVE-2019-13454.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 19, 2019

ImageMagick: Update to 7.0.8-54
This update contains a number of security fixes.

2019-07-16  7.0.8-54 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-54, GIT revision 15916:e868e22:20190716.

2019-07-08  7.0.8-54 Cristy  <quetzlzacatenango@image...>
   * resolve division by zero  (reference
     ImageMagick/ImageMagick#1629).
   * introducing MagickLevelImageColors() MagickWand method.
  * Transient problem with text placement with gravity (reference
    ImageMagick/ImageMagick#1633).
  * Support TIM2 image format (reference
    ImageMagick/ImageMagick#1571).
  * For -magnify option, specify an alternative scaling method with -define
	  magnify:method=method, choose from these methods: eagle2X, eagle3X,
    eagle3XB, epb2X, fish2X, hq2X,  scale2X (default), scale3X, xbr2X.

2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-53, GIT revision 15828:f5d59c0:20190705.

2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
   * Fix -fx parsing issue (reference
     https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=36314).

2019-07-05  7.0.8-52 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-52, GIT revision 15825:ea47310:20190705.

2019-07-01  7.0.8-52 Cristy  <quetzlzacatenango@image...>
  * Eliminate buffer overflow in TranslateEvent() (reference
    ImageMagick/ImageMagick#1621).

2019-06-30  7.0.8-51 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-51, GIT revision 15812:51f11c4:20190630.

2019-06-24  7.0.8-51 Cristy  <quetzlzacatenango@image...>
  * Clone rather than copy X window name/icon.
  * Optimize PDF reader.

2019-06-23  7.0.8-50 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-50, GIT revision 15778:4a60519:20190623

2019-06-14  7.0.8-50 Dirk Lemstra <dirk@lem.....org>
  * Added support for reading all images from a HEIC image (reference
    ImageMagick/ImageMagick#1391).
  * Heap-buffer-overflow in MagickCore/fourier.c (reference
   ImageMagick/ImageMagick#1588).
  * Fixed a number of issues (reference
    https://imagemagick.org/discourse-server/viewforum.php?f=3).
  * Fixed a number of issues (reference
    https://github.com/ImageMagick/ImageMagick/issues).

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 23, 2019

Pullup ticket #6007 - requested by nia
graphics/ImageMagick: security fix

Revisions pulled up:
- graphics/ImageMagick/Makefile.common                          1.191
- graphics/ImageMagick/distinfo                                 1.208

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Fri Jul 19 09:12:13 UTC 2019

   Modified Files:
   	pkgsrc/graphics/ImageMagick: Makefile.common distinfo

   Log Message:
   ImageMagick: Update to 7.0.8-54

   This update contains a number of security fixes.

   2019-07-16  7.0.8-54 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-54, GIT revision 15916:e868e22:20190716.

   2019-07-08  7.0.8-54 Cristy  <quetzlzacatenango@image...>
      * resolve division by zero  (reference
        ImageMagick/ImageMagick#1629).
      * introducing MagickLevelImageColors() MagickWand method.
     * Transient problem with text placement with gravity (reference
       ImageMagick/ImageMagick#1633).
     * Support TIM2 image format (reference
       ImageMagick/ImageMagick#1571).
     * For -magnify option, specify an alternative scaling method with -define
   	  magnify:method=method, choose from these methods: eagle2X, eagle3X,
       eagle3XB, epb2X, fish2X, hq2X,  scale2X (default), scale3X, xbr2X.

   2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-53, GIT revision 15828:f5d59c0:20190705.

   2019-07-05  7.0.8-53 Cristy  <quetzlzacatenango@image...>
      * Fix -fx parsing issue (reference
        https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=36314).

   2019-07-05  7.0.8-52 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-52, GIT revision 15825:ea47310:20190705.

   2019-07-01  7.0.8-52 Cristy  <quetzlzacatenango@image...>
     * Eliminate buffer overflow in TranslateEvent() (reference
       ImageMagick/ImageMagick#1621).

   2019-06-30  7.0.8-51 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-51, GIT revision 15812:51f11c4:20190630.

   2019-06-24  7.0.8-51 Cristy  <quetzlzacatenango@image...>
     * Clone rather than copy X window name/icon.
     * Optimize PDF reader.

   2019-06-23  7.0.8-50 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.8-50, GIT revision 15778:4a60519:20190623

   2019-06-14  7.0.8-50 Dirk Lemstra <dirk@lem.....org>
     * Added support for reading all images from a HEIC image (reference
       ImageMagick/ImageMagick#1391).
     * Heap-buffer-overflow in MagickCore/fourier.c (reference
      ImageMagick/ImageMagick#1588).
     * Fixed a number of issues (reference
       https://imagemagick.org/discourse-server/viewforum.php?f=3).
     * Fixed a number of issues (reference
       https://github.com/ImageMagick/ImageMagick/issues).
@boo0m

This comment has been minimized.

Copy link

commented Jul 31, 2019

This was assigned CVE-2019-13454.

hello, nohmask. I have requested two CVE IDs about the ImageMagick vulnerabilities(#1552 and ImageMagick/ImageMagick6#43) on https://cveform.mitre.org/. But I don't receive any reply yet. Do you know what happen? Thanks

@nohmask

This comment has been minimized.

Copy link

commented Aug 18, 2019

hello, nohmask. I have requested two CVE IDs about the ImageMagick vulnerabilities(#1552 and ImageMagick/ImageMagick6#43) on https://cveform.mitre.org/. But I don't receive any reply yet. Do you know what happen? Thanks

I’m sorry I don’t know.
The two problems are assigned CVE-2019-14980 and CVE-2019-14981 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.