Division by zero in ApplyFunction() of MagickCore/statistic.c

[wuruoyu]

Prerequisites

• [√] I have written a descriptive issue title
• [√] I have verified that I am using the latest version of ImageMagick
• [√] I have searched open and closed issues to ensure it has not already been reported

Description

A division-by-zero exception can happen in function ApplyFunction() when the arguments function = ArcsinFunction and parameters[0] = 0. Please refer to the code below:

ImageMagick/MagickCore/statistic.c

Lines 1031 to 1035 in ce7b0f2

	width=(number_parameters >= 1) ? parameters[0] : 1.0;
	center=(number_parameters >= 2) ? parameters[1] : 0.5;
	range=(number_parameters >= 3) ? parameters[2] : 1.0;
	bias=(number_parameters >= 4) ? parameters[3] : 0.5;
	result=2.0/width*(QuantumScale*pixel-center);

ApplyFunction() is called in FunctionImage(), which is an API function. Before calling ApplyFunction(), no sanity check is imposed. So an attacker can call FunctionImage() with function = ArcsinFunction and parameters[0] = 0 to trigger this exception.

ImageMagick/MagickCore/statistic.c

Line 1139 in ce7b0f2

q[i]=ApplyFunction(q[i],function,number_parameters,parameters,

Thank you in advance! Let me know if you have any questions.

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/download/beta/ by sometime tomorrow.