Conditional Statement depends on uninitialized value

[kirit1193]

Version: <7.0.7-6

Running ./magick convert %file% /dev/null on a malformed input file results in a jump based on an non-initialized variable.

The hexdump of the input file is:

0000000 4238 5350 0200 8e00 1d80 e08d 0000 0000
0000010 1000 1600 2c00 1000 0400 0000
000001c

The relevant Memory Check output is:

==14126== Conditional jump or move depends on uninitialised value(s)
==14126==    at 0x8A21C6: ScaleQuantumToShort (quantum-private.h:474)
==14126==    by 0x8A21C6: ExportBlackQuantum (quantum-export.c:1183)
==14126==    by 0x8A21C6: ExportQuantumPixels (quantum-export.c:3987)
==14126==    by 0x626782: WritePSDChannel (psd.c:2610)
==14126==    by 0x625C0D: WritePSDChannels (psd.c:2773)
==14126==    by 0x621DC3: WritePSDLayersInternal (psd.c:3276)
==14126==    by 0x61FFFE: WritePSDImage (psd.c:3503)
==14126==    by 0x757084: WriteImage (constitute.c:1114)
==14126==    by 0x757DFB: WriteImages (constitute.c:1333)
==14126==    by 0x9B44F8: ConvertImageCommand (convert.c:3280)
==14126==    by 0xA658D8: MagickCommandGenesis (mogrify.c:183)
==14126==    by 0x40BC7D: MagickMain (magick.c:149)
==14126==    by 0x40BC7D: main (magick.c:180)

The input file causing triggering the issue is attached:

im00%3A000000.zip

[mikayla-grace]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2017-15281.