Skip to content

large loop in ReadPWPImage with no meaning #535

Closed
@jgj212

Description

@jgj212

Version: ImageMagick 7.0.6-1 Q16 x86_64

$magick identify $FILE

Here is the critical code

    filesize=65535UL*magick[2]+256L*magick[1]+magick[0];     // filesize can be controlled
    for (i=0; i < (ssize_t) filesize; i++)                   
    {
      c=ReadBlobByte(pwp_image);
      (void) fputc(c,file);
    }

magick[...] is from ReadBlobByte

    for (c=ReadBlobByte(pwp_image); c != EOF; c=ReadBlobByte(pwp_image))
    {
      for (i=0; i < 17; i++)
        magick[i]=magick[i+1];
      magick[17]=(unsigned char) c;
      if (LocaleNCompare((char *) (magick+12),"SFW94A",6) == 0)
        break;
    }

magick[x] can be large as 0xff:

  unsigned char
    magick[MagickPathExtent];

So 'filesize' can be large as 65535UL*255 = 1600w, the loop in the above will be large.
On the other handle, 'ReadBlobByte' in the loop has no success_status checking, so a crafted file will cause a larget of failed I/O in the loop.

testcase:
https://github.com/jgj212/poc/blob/master/cpu-ReadPWPImage

Credit: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions