Skip to content

Division by zero in MagickCore/cache.c #708

Closed
@0ahu

Description

@0ahu

A "division by zero" bug in MagickCore/cache.c allows remote attacker to cause a denial of service to imagemagick via "convert 2-im2pcd out.pcd"

ASAN:DEADLYSIGNAL
122813==ERROR: AddressSanitizer: FPE on unknown address 0x000000000189 (pc 0x0000009c8ae1 bp 0x0c4a00000a26 sp 0x7ffcdaf8f780 T0)
    #0 0x9c8ae0 in GetPixelCacheTileSize /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:2313:16
    #1 0xd36aea in IntegralRotateImage /home/share/imagemagic/source-**imagemagick/MagickCore/shear.c:764:7
    #2 0xac5ed2 in RotateImage /home/share/imagemagic/source-imagemagick/MagickCore/distort.c:2830:12
    #3 0x7c5824 in WritePCDImage /home/share/imagemagic/source-imagemagick/coders/pcd.c:1102:20
    #4 0xa290ff in WriteImage /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1114:14
    #5 0xa2a32d in WriteImages /home/share/imagemagic/source-imagemagick/MagickCore/constitute.c:1333:13
    #6 0xeb5a6a in ConvertImageCommand /home/share/imagemagic/source-imagemagick/MagickWand/convert.c:3280:11
    #7 0xfc75da in MagickCommandGenesis /home/share/imagemagic/source-imagemagick/MagickWand/mogrify.c:183:14
    #8 0x519269 in MagickMain /home/share/imagemagic/source-imagemagick/utilities/magick.c:162:10
    #9 0x519269 in main /home/share/imagemagic/source-imagemagick/utilities/magick.c:197
    #10 0x7f122ad4182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x420f98 in _start (/home/share/imagemagic/test/magick+0x420f98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/share/imagemagic/source-imagemagick/MagickCore/cache.c:2313:16 in GetPixelCacheTileSize
==122813==ABORTING

And the poc:
https://github.com/lifuhao123/feijidepoc/blob/master/2-im2pcd

Note that this issue was found by lifuhao from Aliyun Security Team.
Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions