Closed
Description
Gif coder leaves the palette uninitialized if neither global nor local palette is present in a gif file. If ImageMagick is used as a library loaded into a process that operates on interesting data, this can cause security consequences.
Repro is available at https://gist.githubusercontent.com/neex/8df05383c58abfea388fdc867a197418/raw/e1bb77c3497420fdd1bcd539ca08fbabd5dfa23f/sample.gif.
$ convert --version
Version: ImageMagick 7.0.6-2 Q16 x86_64 2017-07-21 http://www.imagemagick.org
...
$ valgrind convert sample.gif hui.gif
==23410== Memcheck, a memory error detector
==23410== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23410== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==23410== Command: builded/bin/convert ../dump.gif test.gif
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410== at 0x5121C83: ScaleQuantumToChar (quantum.h:116)
==23410== by 0x5126C0C: WriteGIFImage (gif.c:1649)
==23410== by 0x4F06B58: WriteImage (constitute.c:1114)
==23410== by 0x4F07412: WriteImages (constitute.c:1333)
==23410== by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410== by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410== by 0x10936C: MagickMain (magick.c:149)
==23410== by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410== at 0x5121C83: ScaleQuantumToChar (quantum.h:116)
==23410== by 0x5126C4F: WriteGIFImage (gif.c:1650)
==23410== by 0x4F06B58: WriteImage (constitute.c:1114)
==23410== by 0x4F07412: WriteImages (constitute.c:1333)
==23410== by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410== by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410== by 0x10936C: MagickMain (magick.c:149)
==23410== by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410== at 0x5121C83: ScaleQuantumToChar (quantum.h:116)
==23410== by 0x5126C92: WriteGIFImage (gif.c:1651)
==23410== by 0x4F06B58: WriteImage (constitute.c:1114)
==23410== by 0x4F07412: WriteImages (constitute.c:1333)
==23410== by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410== by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410== by 0x10936C: MagickMain (magick.c:149)
==23410== by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410== at 0x5121DC7: AbsolutePixelValue (pixel-accessor.h:440)
==23410== by 0x5121F62: IsPixelInfoEquivalent (pixel-accessor.h:538)
==23410== by 0x5126DA4: WriteGIFImage (gif.c:1670)
==23410== by 0x4F06B58: WriteImage (constitute.c:1114)
==23410== by 0x4F07412: WriteImages (constitute.c:1333)
==23410== by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410== by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410== by 0x10936C: MagickMain (magick.c:149)
==23410== by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410== at 0x5121F75: IsPixelInfoEquivalent (pixel-accessor.h:538)
==23410== by 0x5126DA4: WriteGIFImage (gif.c:1670)
==23410== by 0x4F06B58: WriteImage (constitute.c:1114)
==23410== by 0x4F07412: WriteImages (constitute.c:1333)
==23410== by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410== by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410== by 0x10936C: MagickMain (magick.c:149)
==23410== by 0x1094A9: main (magick.c:180)
==23410==
==23410== Conditional jump or move depends on uninitialised value(s)
==23410== at 0x5121DC7: AbsolutePixelValue (pixel-accessor.h:440)
==23410== by 0x5121FA5: IsPixelInfoEquivalent (pixel-accessor.h:540)
==23410== by 0x5126DA4: WriteGIFImage (gif.c:1670)
==23410== by 0x4F06B58: WriteImage (constitute.c:1114)
==23410== by 0x4F07412: WriteImages (constitute.c:1333)
==23410== by 0x56F6F6A: ConvertImageCommand (convert.c:3280)
==23410== by 0x577B8C4: MagickCommandGenesis (mogrify.c:183)
==23410== by 0x10936C: MagickMain (magick.c:149)
==23410== by 0x1094A9: main (magick.c:180)
==23410==
...