Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

uninitialized image palette in coders/gif.c #592

Closed
neex opened this issue Jul 21, 2017 · 6 comments
Closed

uninitialized image palette in coders/gif.c #592

neex opened this issue Jul 21, 2017 · 6 comments
Labels

Comments

@neex
Copy link

neex commented Jul 21, 2017

Gif coder leaves the palette uninitialized if neither global nor local palette is present in a gif file. If ImageMagick is used as a library loaded into a process that operates on interesting data, this can cause security consequences.

Repro is available at https://gist.githubusercontent.com/neex/8df05383c58abfea388fdc867a197418/raw/e1bb77c3497420fdd1bcd539ca08fbabd5dfa23f/sample.gif.

$ convert --version
Version: ImageMagick 7.0.6-2 Q16 x86_64 2017-07-21 http://www.imagemagick.org
...
$ valgrind convert sample.gif hui.gif
==23410== Memcheck, a memory error detector
==23410== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23410== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==23410== Command: builded/bin/convert ../dump.gif test.gif
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410==    at 0x5121C83: ScaleQuantumToChar (quantum.h:116)
==23410==    by 0x5126C0C: WriteGIFImage (gif.c:1649)
==23410==    by 0x4F06B58: WriteImage (constitute.c:1114)
==23410==    by 0x4F07412: WriteImages (constitute.c:1333)
==23410==    by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410==    by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410==    by 0x10936C: MagickMain (magick.c:149)
==23410==    by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410==    at 0x5121C83: ScaleQuantumToChar (quantum.h:116)
==23410==    by 0x5126C4F: WriteGIFImage (gif.c:1650)
==23410==    by 0x4F06B58: WriteImage (constitute.c:1114)
==23410==    by 0x4F07412: WriteImages (constitute.c:1333)
==23410==    by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410==    by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410==    by 0x10936C: MagickMain (magick.c:149)
==23410==    by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410==    at 0x5121C83: ScaleQuantumToChar (quantum.h:116)
==23410==    by 0x5126C92: WriteGIFImage (gif.c:1651)
==23410==    by 0x4F06B58: WriteImage (constitute.c:1114)
==23410==    by 0x4F07412: WriteImages (constitute.c:1333)
==23410==    by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410==    by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410==    by 0x10936C: MagickMain (magick.c:149)
==23410==    by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410==    at 0x5121DC7: AbsolutePixelValue (pixel-accessor.h:440)
==23410==    by 0x5121F62: IsPixelInfoEquivalent (pixel-accessor.h:538)
==23410==    by 0x5126DA4: WriteGIFImage (gif.c:1670)
==23410==    by 0x4F06B58: WriteImage (constitute.c:1114)
==23410==    by 0x4F07412: WriteImages (constitute.c:1333)
==23410==    by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410==    by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410==    by 0x10936C: MagickMain (magick.c:149)
==23410==    by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410==    at 0x5121F75: IsPixelInfoEquivalent (pixel-accessor.h:538)
==23410==    by 0x5126DA4: WriteGIFImage (gif.c:1670)
==23410==    by 0x4F06B58: WriteImage (constitute.c:1114)
==23410==    by 0x4F07412: WriteImages (constitute.c:1333)
==23410==    by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410==    by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410==    by 0x10936C: MagickMain (magick.c:149)
==23410==    by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410==    at 0x5121DC7: AbsolutePixelValue (pixel-accessor.h:440)
==23410==    by 0x5121FA5: IsPixelInfoEquivalent (pixel-accessor.h:540)
==23410==    by 0x5126DA4: WriteGIFImage (gif.c:1670)
==23410==    by 0x4F06B58: WriteImage (constitute.c:1114)
==23410==    by 0x4F07412: WriteImages (constitute.c:1333)
==23410==    by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410==    by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410==    by 0x10936C: MagickMain (magick.c:149)
==23410==    by 0x1094A9: main (magick.c:180)
==23410==
...
@mikayla-grace
Copy link

mikayla-grace commented Jul 21, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@bastien-roucaries
Copy link

bastien-roucaries commented Jul 21, 2017

Did you opened a CVE ?

@neex
Copy link
Author

neex commented Jul 21, 2017

No.

@bastien-roucaries
Copy link

bastien-roucaries commented Jul 26, 2017

neex you should

@zmalone
Copy link

zmalone commented Oct 12, 2017

@diclophis
Copy link

diclophis commented Oct 30, 2017

I hope ubuntu publishes a fixed .deb soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

6 participants