New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IM GIF decoder detects new frame where there is none #831

Closed
cyburgee opened this Issue Oct 5, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@cyburgee

cyburgee commented Oct 5, 2017

Using e9d84ca, IM detects an invalid frame where there doesn't seem to be any, according to my inspection of the file. I'm running OS X 10.12.6.

Here's an example file:
https://www.dropbox.com/s/mj46nggav4jeujm/example.gif?dl=0

$ identify --version
Version: ImageMagick 7.0.7-7 Q8 x86_64 2017-10-05 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI 
Delegates (built-in): bzlib fftw fontconfig freetype jng jpeg lcms lzma openexr pangocairo png tiff webp x xml zlib
$ identify example.gif
example.gif[0] GIF 200x11 200x11+0+0 8-bit sRGB 256c 12902B 0.010u 0:00.009
example.gif[1] GIF 198x11 200x11+1+0 8-bit sRGB 128c 12902B 0.010u 0:00.009
example.gif[2] GIF 200x11 200x11+0+0 8-bit sRGB 256c 12902B 0.010u 0:00.009
example.gif[3] GIF 198x11 200x11+2+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[4] GIF 197x11 200x11+1+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[5] GIF 199x11 200x11+1+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[6] GIF 195x11 200x11+2+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[7] GIF 197x11 200x11+1+0 8-bit sRGB 128c 12902B 0.010u 0:00.009
example.gif[8] GIF 197x11 200x11+2+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[9] GIF 1x1 200x11+38+5 8-bit sRGB 256c 12902B 0.010u 0:00.009
example.gif[10] GIF 198x11 200x11+0+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[11] GIF 198x11 200x11+2+0 8-bit sRGB 64c 12902B 0.010u 0:00.009
example.gif[12] GIF 168x9 200x11+30+2 8-bit sRGB 32c 12902B 0.010u 0:00.009
example.gif[13] GIF 182x11 200x11+16+0 8-bit sRGB 32c 12902B 0.010u 0:00.009
example.gif[14] GIF 193x11 200x11+3+0 8-bit sRGB 32c 12902B 0.010u 0:00.009
example.gif[15] GIF 194x9 200x11+2+1 8-bit sRGB 16c 12902B 0.010u 0:00.009
example.gif[16] GIF 195x9 200x11+2+2 8-bit sRGB 32c 12902B 0.010u 0:00.009
example.gif[17] GIF 32x7 200x11+10+1 8-bit sRGB 3c 12902B 0.010u 0:00.009
example.gif[18] GIF 161x6 200x11+37+2 8-bit sRGB 32c 12902B 0.000u 0:00.009
example.gif[19] GIF 190x10 200x11+8+1 8-bit sRGB 32c 12902B 0.000u 0:00.009
example.gif[20] GIF 193x11 200x11+6+0 8-bit sRGB 16c 12902B 0.000u 0:00.009
example.gif[21] GIF 161x7 200x11+37+3 8-bit sRGB 32c 12902B 0.000u 0:00.009
example.gif[22] GIF 196x9 200x11+3+2 8-bit sRGB 32c 12902B 0.000u 0:00.009
example.gif[23] GIF 190x6 200x11+6+3 8-bit sRGB 16c 12902B 0.000u 0:00.009
example.gif[24] GIF 192x10 200x11+6+1 8-bit sRGB 32c 12902B 0.000u 0:00.009
example.gif[25] GIF 163x9 200x11+37+1 8-bit sRGB 9c 12902B 0.000u 0:00.009
example.gif[26] GIF 8159x64597 200x11+52602+47982 8-bit sRGB 256c 12902B 0.000u 0:00.000
example.gif[27] GIF 154x5 200x11+39+4 8-bit sRGB 8c 12902B 0.000u 0:00.000
example.gif[28] GIF 194x11 200x11+3+0 8-bit sRGB 32c 12902B 0.000u 0:00.000
example.gif[29] GIF 198x11 200x11+2+0 8-bit sRGB 64c 12902B 0.000u 0:00.000
example.gif[30] GIF 193x11 200x11+5+0 8-bit sRGB 32c 12902B 0.000u 0:00.000
example.gif[31] GIF 197x9 200x11+1+2 8-bit sRGB 32c 12902B 0.000u 0:00.000
example.gif[32] GIF 142x5 200x11+37+3 8-bit sRGB 4c 12902B 0.000u 0:00.000
example.gif[33] GIF 156x5 200x11+38+3 8-bit sRGB 256c 12902B 0.000u 0:00.000
example.gif[34] GIF 102x5 200x11+96+6 8-bit sRGB 16c 12902B 0.000u 0:00.000
identify: corrupt image `example.gif' @ error/gif.c/PingGIFImage/929.

The GIF decoding in IM seems to think that there's a very large frame after no. 25, which simply isn't there.

@mikayla-grace

This comment has been minimized.

Show comment
Hide comment
@mikayla-grace

mikayla-grace Oct 5, 2017

For security reasons, ImageMagick throws an exception if it finds any metadata in an image that does not conform to the image specification. ImageMagick is finding an improper data size @ frame 18 and concludes the image is corrupt. Some other applications may ignore these kinds of problems and attempt to recover. Note, older versions of ImageMagick would make an attempt to ignore image corruption.

Try these commands

identify 'example.gif[0-17]'
identify 'example.gif[0-18]'

The first works and returns without complaint. The second returns a corrupt image exception.

We used an online GIF repair website, the repaired image file could be read by ImageMagick without complaint.

mikayla-grace commented Oct 5, 2017

For security reasons, ImageMagick throws an exception if it finds any metadata in an image that does not conform to the image specification. ImageMagick is finding an improper data size @ frame 18 and concludes the image is corrupt. Some other applications may ignore these kinds of problems and attempt to recover. Note, older versions of ImageMagick would make an attempt to ignore image corruption.

Try these commands

identify 'example.gif[0-17]'
identify 'example.gif[0-18]'

The first works and returns without complaint. The second returns a corrupt image exception.

We used an online GIF repair website, the repaired image file could be read by ImageMagick without complaint.

@cyburgee

This comment has been minimized.

Show comment
Hide comment
@cyburgee

cyburgee Oct 6, 2017

By my inspection of the hex below, there doesn't seem to be an improper data size.
Frame No. 17

21 F9 04 05 07 00 02 00 2C 0A 00 01 00 20 00 07 00 80 40 40 42 54 53 56 02 10 8C 8E A9 CB ED 0F A3 9C B4 5A 65 AE DE 09 88 02 00 

Frame No. 18

21 F9 04 05 0E 00 16 00 2C 25 00 02 00 A1 00 06 00 84 37 C6 27 3A 77 33 4A 4A 4C 4F 4E 51 53 53 55 56 56 59 59 56 5B 6F 6E 71 80 7F 83 83 83 84 86 86 88 8B 8B 8D 8E 8E 91 90 8F 92 99 99 9A A3 A2 A4 A6 A6 A8 A7 A8 A8 B3 B3 B4 BA B9 BB BD BC BE C6 C6 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 4C A0 25 8E E4 28 94 68 AA AE 6C EB BE 70 2C CF 64 F1 9C D6 42 EF 7C EF FF C0 55 02 62 89 04 8F C8 A4 72 74 18 4D 66 84 96 64 49 AD 2A 9F BE 48 22 82 B3 26 03 00 AF D8 C2 68 31 2A 24 04 C5 F0 18 58 12 BA B1 7C 1E 6C 28 5C 8E 51 08 00

Nothing seemed amiss in my manual inspection but I certainly could have made a mistake. Do you have any insight into what data size is improper?

I was able to reproduce the result from your commands above, but oddly, if I try to extract no. 17 I get an invalid gif result.

$ convert example.gif[0-16] example_16.gif
$ convert example.gif[0-17] example_17.gif
convert: corrupt image `example.gif' @ error/gif.c/DecodeImage/419.
convert: corrupt image `example.gif' @ error/gif.c/ReadGIFImage/1384.
convert: no images defined `example_17.gif' @ error/convert.c/ConvertImageCommand/3275.

Is that to be expected?

cyburgee commented Oct 6, 2017

By my inspection of the hex below, there doesn't seem to be an improper data size.
Frame No. 17

21 F9 04 05 07 00 02 00 2C 0A 00 01 00 20 00 07 00 80 40 40 42 54 53 56 02 10 8C 8E A9 CB ED 0F A3 9C B4 5A 65 AE DE 09 88 02 00 

Frame No. 18

21 F9 04 05 0E 00 16 00 2C 25 00 02 00 A1 00 06 00 84 37 C6 27 3A 77 33 4A 4A 4C 4F 4E 51 53 53 55 56 56 59 59 56 5B 6F 6E 71 80 7F 83 83 83 84 86 86 88 8B 8B 8D 8E 8E 91 90 8F 92 99 99 9A A3 A2 A4 A6 A6 A8 A7 A8 A8 B3 B3 B4 BA B9 BB BD BC BE C6 C6 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 4C A0 25 8E E4 28 94 68 AA AE 6C EB BE 70 2C CF 64 F1 9C D6 42 EF 7C EF FF C0 55 02 62 89 04 8F C8 A4 72 74 18 4D 66 84 96 64 49 AD 2A 9F BE 48 22 82 B3 26 03 00 AF D8 C2 68 31 2A 24 04 C5 F0 18 58 12 BA B1 7C 1E 6C 28 5C 8E 51 08 00

Nothing seemed amiss in my manual inspection but I certainly could have made a mistake. Do you have any insight into what data size is improper?

I was able to reproduce the result from your commands above, but oddly, if I try to extract no. 17 I get an invalid gif result.

$ convert example.gif[0-16] example_16.gif
$ convert example.gif[0-17] example_17.gif
convert: corrupt image `example.gif' @ error/gif.c/DecodeImage/419.
convert: corrupt image `example.gif' @ error/gif.c/ReadGIFImage/1384.
convert: no images defined `example_17.gif' @ error/convert.c/ConvertImageCommand/3275.

Is that to be expected?

@urban-warrior

This comment has been minimized.

Show comment
Hide comment
@urban-warrior

urban-warrior Oct 6, 2017

Contributor

An improper data size suggests that there is extra bytes or missing bytes somewhere in the stream or perhaps an improperly compressed pixel stream. The question of course is the stream improper or is it a bug in ImageMagick? We will need proof its a bug before we can investigate further.

Contributor

urban-warrior commented Oct 6, 2017

An improper data size suggests that there is extra bytes or missing bytes somewhere in the stream or perhaps an improperly compressed pixel stream. The question of course is the stream improper or is it a bug in ImageMagick? We will need proof its a bug before we can investigate further.

@cyburgee

This comment has been minimized.

Show comment
Hide comment
@cyburgee

cyburgee Oct 6, 2017

So, it seems that IM thinks that the color table size of frame 17 is 9 bytes when it is in fact 6. There seems to be some confusion in the decoder between the color table size and image->colors. If transparency is present, the number of colors in the image could be the table size + 1. I have fix for the improper read size issue but I'm still seeing some issues when it comes to encoding the transparency.

cyburgee commented Oct 6, 2017

So, it seems that IM thinks that the color table size of frame 17 is 9 bytes when it is in fact 6. There seems to be some confusion in the decoder between the color table size and image->colors. If transparency is present, the number of colors in the image could be the table size + 1. I have fix for the improper read size issue but I'm still seeing some issues when it comes to encoding the transparency.

@mikayla-grace

This comment has been minimized.

Show comment
Hide comment
@mikayla-grace

mikayla-grace Oct 6, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

mikayla-grace commented Oct 6, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit that referenced this issue Oct 6, 2017

urban-warrior pushed a commit that referenced this issue Oct 6, 2017

@dlemstra dlemstra added the bug label Oct 6, 2017

@dlemstra dlemstra closed this Oct 6, 2017

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 10, 2017

tez
ImageMagick: update to 7.0.7.7
2017-10-07  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-7, GIT revision 21432:29003eeed:20171007.

2017-10-06  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Correct handling of GIF transparency (reference
    ImageMagick/ImageMagick#831).

2017-10-04  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-6, GIT revision 21426:0a1cb507b:20171004.

2017-10-03  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).
2017-10-02  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).

2017-10-01  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-5, GIT revision 21382:3846f9d97:20171001.

2017-09-28  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).
  * Support URW-base35 fonts.

2017-09-26  7.0.7-5 Glenn Randers-Pehrson <glennrp@image...>
  * Removed "ping_preserve_iCCP=MagickTrue;" statement that was inadvertently
    added to coders/png.c (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32771).

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-4, GIT revision 21265:bdbc14590:20170923.

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-17  7.0.7-3 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-3, GIT revision 21202:6e6907ac7:20170917.

2017-09-17  7.0.7-3 ADLab of Venustech
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-15  7.0.7-3 Glenn Randers-Pehrson <glennrp@image...>
  * Stop potential leaks in the JNG decoder (reference:
    ImageMagick/ImageMagick#760).
  * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum
    valid minute is 59, not 60.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 22, 2017

tez
ImageMagick: update to 7.0.7.7
2017-10-07  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-7, GIT revision 21432:29003eeed:20171007.

2017-10-06  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Correct handling of GIF transparency (reference
    ImageMagick/ImageMagick#831).

2017-10-04  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-6, GIT revision 21426:0a1cb507b:20171004.

2017-10-03  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).
2017-10-02  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).

2017-10-01  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-5, GIT revision 21382:3846f9d97:20171001.

2017-09-28  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).
  * Support URW-base35 fonts.

2017-09-26  7.0.7-5 Glenn Randers-Pehrson <glennrp@image...>
  * Removed "ping_preserve_iCCP=MagickTrue;" statement that was inadvertently
    added to coders/png.c (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32771).

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-4, GIT revision 21265:bdbc14590:20170923.

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-17  7.0.7-3 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-3, GIT revision 21202:6e6907ac7:20170917.

2017-09-17  7.0.7-3 ADLab of Venustech
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-15  7.0.7-3 Glenn Randers-Pehrson <glennrp@image...>
  * Stop potential leaks in the JNG decoder (reference:
    ImageMagick/ImageMagick#760).
  * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum
    valid minute is 59, not 60.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 28, 2017

spz
Pullup ticket #5586 - requested by he
graphics/ImageMagick: security update

Revisions pulled up:
- graphics/ImageMagick/Makefile.common                          1.157
- graphics/ImageMagick/PLIST                                    1.98
- graphics/ImageMagick/distinfo                                 1.173

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tez
   Date:		Tue Oct 10 19:47:50 UTC 2017

   Modified Files:
   	pkgsrc/graphics/ImageMagick: Makefile.common PLIST distinfo

   Log Message:
   ImageMagick: update to 7.0.7.7

   2017-10-07  7.0.7-7 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-7, GIT revision 21432:29003eeed:20171007.

   2017-10-06  7.0.7-7 Cristy  <quetzlzacatenango@image...>
     * Correct handling of GIF transparency (reference
       ImageMagick/ImageMagick#831).

   2017-10-04  7.0.7-6 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-6, GIT revision 21426:0a1cb507b:20171004.

   2017-10-03  7.0.7-6 Cristy  <quetzlzacatenango@image...>
     * Reset the magick_list_initialized boolean when needed (reference
       ImageMagick/ImageMagick#826).
   2017-10-02  7.0.7-6 Cristy  <quetzlzacatenango@image...>
     * Reset the magick_list_initialized boolean when needed (reference
       ImageMagick/ImageMagick#826).

   2017-10-01  7.0.7-5 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-5, GIT revision 21382:3846f9d97:20171001.

   2017-09-28  7.0.7-5 Cristy  <quetzlzacatenango@image...>
     * Fixed numerous memory leaks (reference
       https://github.com/ImageMagick/ImageMagick/issues).
     * Support URW-base35 fonts.

   2017-09-26  7.0.7-5 Glenn Randers-Pehrson <glennrp@image...>
     * Removed "ping_preserve_iCCP=MagickTrue;" statement that was inadvertently
       added to coders/png.c (reference
       http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t2771).

   2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-4, GIT revision 21265:bdbc14590:20170923.

   2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
     * Fixed numerous memory leaks (reference
       ImageMagick/ImageMagick#763).

   2017-09-17  7.0.7-3 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-3, GIT revision 21202:6e6907ac7:20170917.

   2017-09-17  7.0.7-3 ADLab of Venustech
     * Fixed numerous memory leaks (reference
       ImageMagick/ImageMagick#763).

   2017-09-15  7.0.7-3 Glenn Randers-Pehrson <glennrp@image...>
     * Stop potential leaks in the JNG decoder (reference:
       ImageMagick/ImageMagick#760).
     * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum
       valid minute is 59, not 60.


   To generate a diff of this commit:
   cvs rdiff -u -r1.156 -r1.157 pkgsrc/graphics/ImageMagick/Makefile.common
   cvs rdiff -u -r1.97 -r1.98 pkgsrc/graphics/ImageMagick/PLIST
   cvs rdiff -u -r1.172 -r1.173 pkgsrc/graphics/ImageMagick/distinfo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment