Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Division by zero in MagickCore/cache.c #708

Closed
0ahu opened this issue Aug 31, 2017 · 3 comments
Closed

Division by zero in MagickCore/cache.c #708

0ahu opened this issue Aug 31, 2017 · 3 comments
Labels
bug

Comments

@0ahu
Copy link

0ahu commented Aug 31, 2017
edited
Loading

A "division by zero" bug in MagickCore/cache.c allows remote attacker to cause a denial of service to imagemagick via "convert 2-im2pcd out.pcd"

ASAN:DEADLYSIGNAL
122813==ERROR: AddressSanitizer: FPE on unknown address 0x000000000189 (pc 0x0000009c8ae1 bp 0x0c4a00000a26 sp 0x7ffcdaf8f780 T0)
    #0 0x9c8ae0 in GetPixelCacheTileSize /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:2313:16
    #1 0xd36aea in IntegralRotateImage /home/share/imagemagic/source-**imagemagick/MagickCore/shear.c:764:7
    #2 0xac5ed2 in RotateImage /home/share/imagemagic/source-imagemagick/MagickCore/distort.c:2830:12
    #3 0x7c5824 in WritePCDImage /home/share/imagemagic/source-imagemagick/coders/pcd.c:1102:20
    #4 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #5 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #6 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #7 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #8 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #9 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #10 0x7f122ad4182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x420f98 in _start (/home/share/imagemagic/test/magick+0x420f98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:2313:16 in GetPixelCacheTileSize
==122813==ABORTING

And the poc:
https://github.com/lifuhao123/feijidepoc/blob/master/2-im2pcd

Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks.
@0ahu 0ahu changed the title "FPE on unknown address" error when converting to pdf "FPE on unknown address" error when converting file to pdf Aug 31, 2017
@0ahu 0ahu changed the title "FPE on unknown address" error when converting file to pdf "FPE on unknown address" error when converting a file to pcd Aug 31, 2017
@0ahu 0ahu changed the title "FPE on unknown address" error when converting a file to pcd "FPE on unknown address" error while converting a file to pcd Aug 31, 2017
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra
Copy link
Member

dlemstra commented Sep 3, 2017

IM7 commit: 2071d67
IM6 commit: 66112b7

@dlemstra dlemstra added the bug label Sep 3, 2017
@dlemstra dlemstra closed this as completed Sep 3, 2017
@0ahu 0ahu changed the title "FPE on unknown address" error while converting a file to pcd Division by zero in MagickCore/cache.c Sep 8, 2017
@nohmask
Copy link

nohmask commented Sep 12, 2017

This was assigned CVE-2017-14249.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@0ahu @dlemstra @mikayla-grace @nohmask