Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-14173: An infinite loop in ReadTXTImage():449, coders/txt.c #713

Closed
shqking opened this issue Aug 31, 2017 · 4 comments
Closed
Labels

Comments

@shqking
Copy link

shqking commented Aug 31, 2017

A mistake...

@shqking shqking changed the title An Infinite loop issue in ReadTXTImage():449, coders/txt.c A mistake... Aug 31, 2017
@shqking shqking closed this as completed Aug 31, 2017
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra
Copy link
Member

dlemstra commented Sep 1, 2017

@shqking Could you put your orginal message back? We did get your email but it is okay to post the message here. We are planning to add a contribution template that explains when you should contact us by e-maill.

@dlemstra dlemstra reopened this Sep 1, 2017
@dlemstra dlemstra added the bug label Sep 1, 2017
@shqking shqking changed the title A mistake... An infinite loop in ReadTXTImage():449, coders/txt.c Sep 1, 2017
@shqking
Copy link
Author

shqking commented Sep 1, 2017

Hi all,
Thanks for your prompt reply.
The details of this infinite loop issue are described as below.

We found an infinite loop bug in ReadTXTImage():449, coders/txt.c
The vulnerable code is shown as below.

447     image->columns=width;
448     image->rows=height;
449     for (depth=1; (GetQuantumRange(depth)+1) < max_value; depth++) ;
450     image->depth=depth;

An integer overflow might occur for the addition operation GetQuantumRange(depth)+1 when depth is greater than 64, producing a smaller value than expected.
As a result, infinite loop would occur if a crafted TXT file, which claims very large max_value, i.e. a big value between 0x8000000000000001L and 0xffff ffff ffff ffff, is provided.

poc: https://github.com/shqking/imagemagick-poc/blob/master/x_txt_poc.txt
In our poc, we set max_value as 0x8000000000000001L
The command we was using is convert x_txt_poc.txt test.jpg

Note that this issue is found by Xiaohei and Wangchu from Alibaba Security Team.
Thanks a lot.

@dlemstra dlemstra closed this as completed Sep 1, 2017
@shqking
Copy link
Author

shqking commented Sep 7, 2017

This is CVE-2017-14173.

@shqking shqking changed the title An infinite loop in ReadTXTImage():449, coders/txt.c CVE-2017-14173: An infinite loop in ReadTXTImage():449, coders/txt.c Sep 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants