Closed
Description
Version: ImageMagick 7.0.6-1 Q16 x86_64
$magick identify $FILE
Here is the critical code
filesize=65535UL*magick[2]+256L*magick[1]+magick[0]; // filesize can be controlled
for (i=0; i < (ssize_t) filesize; i++)
{
c=ReadBlobByte(pwp_image);
(void) fputc(c,file);
}
magick[...] is from ReadBlobByte
for (c=ReadBlobByte(pwp_image); c != EOF; c=ReadBlobByte(pwp_image))
{
for (i=0; i < 17; i++)
magick[i]=magick[i+1];
magick[17]=(unsigned char) c;
if (LocaleNCompare((char *) (magick+12),"SFW94A",6) == 0)
break;
}
magick[x] can be large as 0xff:
unsigned char
magick[MagickPathExtent];
So 'filesize' can be large as 65535UL*255 = 1600w, the loop in the above will be large.
On the other handle, 'ReadBlobByte' in the loop has no success_status checking, so a crafted file will cause a larget of failed I/O in the loop.
testcase:
https://github.com/jgj212/poc/blob/master/cpu-ReadPWPImage
Credit: ADLab of Venustech