New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stuck in LockSemaphoreInfo after reading a png with width==MAGICK_WIDTH_LIMIT #596
Comments
|
Post it here. Check the vulnerability against the latest 6.9.9-1 Beta release @ https://www.imagemagick.org/download/beta/. There have been some patches to the PNG coder recently that might have already resolved the vulnerability you detected. |
|
please cc security@debian.org also |
|
It appears to still be an issue with https://www.imagemagick.org/download/beta/ImageMagick-6.9.9-1~beta20170721.tar.xz. If you try to read an image whose width exactly matches I'm able to reproduce it with this code: #include <stdio.h>
#include <string.h>
#include "magick/MagickCore.h"
#include "magick/magick-config.h"
void PrintImage(char* filename) {
ImageInfo* info = CloneImageInfo((ImageInfo *) NULL);
strcpy(info->filename, filename);
SetImageInfoFile(info, NULL);
ExceptionInfo *exception = AcquireExceptionInfo();
printf("Attempt to read %s\n", filename);
Image* image = ReadImage(info, exception);
printf("%s: %s %s\n", info->filename, exception->reason, exception->description);
if (image) {
printf("%ix%i\n", image->columns, image->rows);
DestroyImage(image);
}
DestroyExceptionInfo(exception);
DestroyImageInfo(info);
}
int main(int argc, char *argv[]) {
if (argc < 2) {
printf("specify a filename to read\n");
return 1;
}
MagickCoreGenesis(*argv,MagickTrue);
PrintImage(argv[1]);
PrintImage(argv[1]);
return 0;
}by passing it the path to a png file, with |
|
What is your libpng version? Run "convert -list format | grep PNG" to find out. |
|
libpng 1.2.50 |
|
Wow, a 5-year-old version of libpng. There have been changes in the user-limit handling since then. It would be good to find out if the problem persists with libpng-1.2.56 (current libpng12) or with libpng-1.6.30 |
|
I see the same problem with 1.2.56 and 1.6.30 |
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
Please use CVE-2017-13140 for this issue. |
Hi there - I've discovered a potential DOS vulnerability in ImageMagick 6.9 (but not 7) when dealing with PNGs. Is there a security-reporting email I should contact, or shall I just post it here?
[Edit: updated the title to be more descriptive, given the bug is fully described below]
The text was updated successfully, but these errors were encountered: