Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

endless loop in ReadTXTImage #591

Closed
jgj212 opened this issue Jul 19, 2017 · 13 comments

Comments

Projects
None yet
6 participants
@jgj212
Copy link
Contributor

commented Jul 19, 2017

Version: ImageMagick 7.0.6-2 Q16 x86_64

$magick convert cpu-ReadTXTImage 1.bmp

Here is the critical code

static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
	...
	(void) ResetMagickMemory(text,0,sizeof(text));
	(void) ReadBlobString(image,text);  // text is "MagickID..."
	if (LocaleNCompare((char *) text,MagickID,strlen(MagickID)) != 0)  // so, cmp==0
		ThrowReaderException(CorruptImageError,"ImproperImageHeader");
	do
  	{
  		...
        for (y=0; y < (ssize_t) image->rows; y++)
	    {
	      double
	        alpha,
	        black,
	        blue,
	        green,
	        red;

	      red=0.0;
	      green=0.0;
	      blue=0.0;
	      black=0.0;
	      alpha=0.0;
	      for (x=0; x < (ssize_t) image->columns; x++)
	      {
	        if (ReadBlobString(image,text) == (char *) NULL) // if TXT image is small than 4096 bytes, so, cmp==0 and text is unchanged
	          break;
	        ...
	  	  }
	  	}
	  	(void) ReadBlobString(image,text); // if TXT image is small than 4096 bytes, text is unchanged
	    if (LocaleNCompare((char *) text,MagickID,strlen(MagickID)) == 0) // so, cmp==0
	      {
	        /*
	          Allocate next image structure.
	        */
	        AcquireNextImage(image_info,image,exception);
	        if (GetNextImageInList(image) == (Image *) NULL)
	          {
	            image=DestroyImageList(image);
	            return((Image *) NULL);
	          }
	        image=SyncNextImageInList(image);
	        status=SetImageProgress(image,LoadImagesTag,TellBlob(image),
	          GetBlobSize(image));
	        if (status == MagickFalse)
	          break;
	      }
	  } while (LocaleNCompare((char *) text,MagickID,strlen(MagickID)) == 0); // so, cmp==0
	  ...
}

If text image file only contains "MagickID..." line, it will cause ReadTXTImage to infinite loop.

testcase: https://github.com/jgj212/poc/blob/master/cpu-ReadTXTImage

Credit: ADLab of Venustech

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 19, 2017

Did you opened a CVE ?

@jgj212

This comment has been minimized.

Copy link
Contributor Author

commented Jul 19, 2017

@bastien-roucaries I'm sorry, I can not understand it. what is the right meaning?

@lcatro

This comment has been minimized.

Copy link

commented Jul 19, 2017

@jgj212 他是不是想问这个崩溃有没有申请过CVE 呀..

@jgj212

This comment has been minimized.

Copy link
Contributor Author

commented Jul 19, 2017

@bastien-roucaries I find this bug right now, i have not request a CVE-ID for this.

@lcatro 多谢兄台,那句话太短了,翻译看不懂,汗

@lcatro

This comment has been minimized.

Copy link

commented Jul 19, 2017

@jgj212 哈哈哈我猜的,刚才他也在我的issue 问过一回.你前面的崩溃去申请CVE 有通过吗,我星期一提交到现在都还没回邮件,提交GraphicsMagick 一天就搞定了..

@jgj212

This comment has been minimized.

Copy link
Contributor Author

commented Jul 19, 2017

@lcatro 感觉这个完全看脸,我还有大半年了都还挂起的

@lcatro

This comment has been minimized.

Copy link

commented Jul 19, 2017

@jgj212 估计是给刷到不想收了吧,看到你们都跑出了很多,是不是有60 个CVE 了..

@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 19, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jul 19, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jul 19, 2017

@carnil

This comment has been minimized.

Copy link

commented Jul 23, 2017

This issue has been assigned CVE-2017-11523

@bastien-roucaries

This comment has been minimized.

@dlemstra dlemstra added the bug label Jul 27, 2017

@dlemstra dlemstra closed this Jul 27, 2017

@jgj212

This comment has been minimized.

Copy link
Contributor Author

commented Jul 30, 2017

@lcatro 总数没算过,好多都迟迟没下来,囧了

@lcatro

This comment has been minimized.

Copy link

commented Jul 30, 2017

@jgj212 哈哈大兄弟加油,AD 实验室真的厉害👍 ..

@jgj212

This comment has been minimized.

Copy link
Contributor Author

commented Jul 30, 2017

@lcatro 大企鹅的实力也是爆棚

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.