Closed
Description
A "division by zero" bug in MagickCore/cache.c allows remote attacker to cause a denial of service to imagemagick via "convert 2-im2pcd out.pcd"
ASAN:DEADLYSIGNAL
122813==ERROR: AddressSanitizer: FPE on unknown address 0x000000000189 (pc 0x0000009c8ae1 bp 0x0c4a00000a26 sp 0x7ffcdaf8f780 T0)
#0 0x9c8ae0 in GetPixelCacheTileSize /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:2313:16
#1 0xd36aea in IntegralRotateImage /home/share/imagemagic/source-**imagemagick/MagickCore/shear.c:764:7
#2 0xac5ed2 in RotateImage /home/share/imagemagic/source-imagemagick/MagickCore/distort.c:2830:12
#3 0x7c5824 in WritePCDImage /home/share/imagemagic/source-imagemagick/coders/pcd.c:1102:20
#4 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
#5 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
#6 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
#7 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
#8 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
#9 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
#10 0x7f122ad4182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x420f98 in _start (/home/share/imagemagic/test/magick+0x420f98)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:2313:16 in GetPixelCacheTileSize
==122813==ABORTING
And the poc:
https://github.com/lifuhao123/feijidepoc/blob/master/2-im2pcd
Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks.