Heap Allocation errors, uninitialized integers used to allocate memory as well as conditional jumps depending on uninitialized values, while feeding a malformed WPG File

[kirit1193]

Description

There seems to be a number of heap Allocation errors, uninitialized integers used to allocate memory as well as conditional jumps depending on uninitialized values, while running a verbose identify on a malformed image file. All of these conditions can be triggered by using a single WPG file.

Steps to Reproduce

This occurs while running ./magick identify -verbose %file% on a malformed WPG file.

test-wpg.zip

The hexdump of the input file is:

0000000 57ff 4350 0016 0000 1630 0001 3030 0000
0000010 3030 3030 3030 0030 000e ff30 0000 0030
0000020 0014 0000 0030 0030 3030 3030 0007 00f9
0000030 0016 3030 3030 304f 3030 3030 3030 3030
0000040 3030 3030 3030 3030 3030 3030 3030 3030
*
00000e0 3030 3030 3030 3030 3020 3030 3030 3030
00000f0 3030 3030 3030 3030 3030 3030 3030 3030
*
0000130 3030 3030 3030 3030 3030 3033 3030 3030
0000140 3030 3030 3030 3030 3030 3030 3030 3030
*
0000160 3030 3030 3030 3030 3030 3030 3030 3031
0000170 3030 3030 3030 3030 3030 3030 3030 3030
*
00001a0 3020 3030 3030 3030 3030 3030 3030 3030
00001b0 3030 3030 3030 3030 3030 3030 3030 3030
*
00001f0 3030 30ff 30d9 30c0 30c7 30ff 30c1 30c6
0000200 30d9 30c0 30ce 3020 3030 3030 3030 3030
0000210 3030 3030 3030 3030 3030 3030 3030 3030
0000220 3030 3030 3030 c130 c130 c130 c130 c130
0000230 c130 c130 c030 ff30 cc30 c130 c030 ce30
0000240 c030 d630 ff30 c430 c030 d630 ff30 d630
0000250 c030 c430 ff30 c030 e830 ff30 f930 cb30
0000260 c030 ce30 dd30 c030 ce30 ff30 e830 c030
0000270 ff30 2030 3030 3030 3030 3030 3030 3030
0000280 3030 3030 3030 3030 3030 3030 3030 3030
0000290 3030 3030 3020 3030 3030 3030 3030 3030
00002a0 3030 3030 3030 3030 3030 3030 3030 3030
00002b0 3030 3030 2030 3030 3030 3030 3030 3030
00002c0 3030 3030 3030 3030 3030 3030 3030 3030
00002d0 3030 3030 3030 30b1 30b1 30b1 30b1 30b1
00002e0 30b1 30b1 30b1 3030 3030 3030 3030 3030
00002f0 3030 3030 3030 3030 3030 3030 3030 3030
*

The Memcheck output is huge, I'm sharing it as a txt file attached with the report.
memcheck.txt

However some of the relevant parts are:

==21704== Conditional jump or move depends on uninitialised value(s)
==21704==    at 0x62D18D: IsPixelMonochrome (pixel-accessor.h:553)
==21704==    by 0x62D18D: IdentifyImageMonochrome (attribute.c:759)
==21704==    by 0x62D4C5: IdentifyImageType (attribute.c:820)
==21704==    by 0x731F3A: IdentifyImage (identify.c:688)
==21704==    by 0x8D8926: IdentifyImageCommand (identify.c:336)
==21704==    by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704==    by 0x4044AB: MagickMain (magick.c:149)
==21704==    by 0x4044AB: main (magick.c:180)
==21704==  Uninitialised value was created by a heap allocation
==21704==    at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704==    by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704==    by 0x42AAB7: AcquireAlignedMemory (memory.c:262)
==21704==    by 0x647C71: OpenPixelCache (cache.c:3535)
==21704==    by 0x64ADDF: GetImagePixelCache (cache.c:1660)
==21704==    by 0x64DA00: SyncImagePixelCache (cache.c:5243)
==21704==    by 0x40AA99: SetImageStorageClass (image.c:2520)
==21704==    by 0x65C619: AcquireImageColormap (colormap.c:144)
==21704==    by 0x600315: ReadWPGImage (wpg.c:1056)
==21704==    by 0x67B6E8: ReadImage (constitute.c:497)
==21704==    by 0x67D341: ReadImages (constitute.c:866)
==21704==    by 0x8D8553: IdentifyImageCommand (identify.c:321)

==21704== Use of uninitialised value of size 8
==21704==    at 0x4921F9: StringInfoToHexString (string.c:1987)
==21704==    by 0x47CD3D: SignatureImage (signature.c:553)
==21704==    by 0x731F82: IdentifyImage (identify.c:694)
==21704==    by 0x8D8926: IdentifyImageCommand (identify.c:336)
==21704==    by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704==    by 0x4044AB: MagickMain (magick.c:149)
==21704==    by 0x4044AB: main (magick.c:180)
==21704==  Uninitialised value was created by a heap allocation
==21704==    at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704==    by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704==    by 0x42AAB7: AcquireAlignedMemory (memory.c:262)
==21704==    by 0x647C71: OpenPixelCache (cache.c:3535)
==21704==    by 0x64ADDF: GetImagePixelCache (cache.c:1660)
==21704==    by 0x64DA00: SyncImagePixelCache (cache.c:5243)
==21704==    by 0x40E746: SetImageExtent (image.c:2561)
==21704==    by 0x60074F: ReadWPGImage (wpg.c:1108)
==21704==    by 0x67B6E8: ReadImage (constitute.c:497)
==21704==    by 0x67D341: ReadImages (constitute.c:866)
==21704==    by 0x8D8553: IdentifyImageCommand (identify.c:321)
==21704==    by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)

==21704== Conditional jump or move depends on uninitialised value(s)
==21704==    at 0x486090: ScaleAnyToQuantum (quantum-private.h:274)
==21704==    by 0x486090: GetImageStatistics (statistic.c:2033)
==21704==    by 0x732DDF: IdentifyImage (identify.c:759)
==21704==    by 0x8D8926: IdentifyImageCommand (identify.c:336)
==21704==    by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704==    by 0x4044AB: MagickMain (magick.c:149)
==21704==    by 0x4044AB: main (magick.c:180)
==21704==  Uninitialised value was created by a heap allocation
==21704==    at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704==    by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704==    by 0x42AAB7: AcquireAlignedMemory (memory.c:262)
==21704==    by 0x647C71: OpenPixelCache (cache.c:3535)
==21704==    by 0x64ADDF: GetImagePixelCache (cache.c:1660)
==21704==    by 0x64DA00: SyncImagePixelCache (cache.c:5243)
==21704==    by 0x40AA99: SetImageStorageClass (image.c:2520)
==21704==    by 0x65C619: AcquireImageColormap (colormap.c:144)
==21704==    by 0x600315: ReadWPGImage (wpg.c:1056)
==21704==    by 0x67B6E8: ReadImage (constitute.c:497)
==21704==    by 0x67D341: ReadImages (constitute.c:866)
==21704==    by 0x8D8553: IdentifyImageCommand (identify.c:321)

System Configuration

Version: ImageMagick 7.0.7-9 Q16 x86_64 2017-10-30 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC
Delegates (built-in):
OS: Ubuntu 17.10
Compiler: clang version 4.0.1-6 (tags/RELEASE_401/final) / gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)
Target: x86_64-pc-linux-gnu

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

~ 2130bf6

[nohmask]

This was assigned CVE-2017-16546.