Menu

#541 Infinite Loop in ReadBMPImage (coders/bmp.c)

v1.0_(example)
closed-fixed
Bob Friesenhahn
None
5
2018-01-13
2018-01-13
Probe Fuzzer
No

On 1.3.27 (the latest version):
there is an in infinite loop and application hang in the ReadBMPImage function (coders/bmp.c), which can be triggered by the POC with the command: gm convert $POC OUTPUT

Looking into the ReadBMPImage function (coders/bmp.c), we found that in the "while" statement (line 1110), the "bmp_info.green_mask" could be manipulated by a crafted bmp file. When it is set to 0xFFFFFFFF, (bmp_info.green_mask << sample) & 0x80000000U) will always be True and the "sample" keeps increasing.

1109 sample=shift.green;
1110 while (((bmp_info.green_mask << sample) & 0x80000000U) != 0)
1111 sample++;

POC: https://github.com/ProbeFuzzer/poc/blob/master/graphicsmagick/graphicsmagick_1-3-27_gm_infinite-loop_ReadBMPImage.bmp

the back trace is as follows:

0 0x00000000005470c9 in ReadBMPImage ()

1 0x000000000044c7e7 in ReadImage ()

2 0x000000000041a0cb in ConvertImageCommand ()

3 0x00000000004277d0 in MagickCommand ()

4 0x000000000043f0b1 in GMCommandSingle ()

5 0x000000000043f1b7 in GMCommand ()

6 0x000000000040c846 in main ()

Related

Bugs: #541

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-01-13
    • assigned_to: Bob Friesenhahn
    • private: No --> Yes
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-01-13
    • status: open --> closed-fixed
    • private: Yes --> No
     

    • Probe Fuzzer

      Probe Fuzzer - 2018-01-13

      Thanks for the fix.

      On Sat, Jan 13, 2018 at 2:18 PM, Bob Friesenhahn bfriesen@users.sf.net
      wrote:

      • status: open --> closed-fixed
      • private: Yes --> No
      • Comment:

      This problem is fixed by Mercurial changeset 15332:52a91ddb1aa6. Thank you
      very much for reporting it.

      Status: closed-fixed
      Group: v1.0_(example)
      Created: Sat Jan 13, 2018 03:37 AM UTC by Probe Fuzzer
      Last Updated: Sat Jan 13, 2018 06:30 PM UTC
      Owner: Bob Friesenhahn

      On 1.3.27 (the latest version):
      there is an in infinite loop and application hang in the ReadBMPImage
      function (coders/bmp.c), which can be triggered by the POC with the
      command: gm convert $POC OUTPUT

      Looking into the ReadBMPImage function (coders/bmp.c), we found that in
      the "while" statement (line 1110), the "bmp_info.green_mask" could be
      manipulated by a crafted bmp file. When it is set to 0xFFFFFFFF,
      (bmp_info.green_mask << sample) & 0x80000000U) will always be True and the
      "sample" keeps increasing.

      1109 sample=shift.green;
      1110 while (((bmp_info.green_mask << sample) & 0x80000000U) != 0)
      1111 sample++;

      POC: https://github.com/ProbeFuzzer/poc/blob/master/
      graphicsmagick/graphicsmagick_1-3-27_gm_infinite-loop_ReadBMPImage.bmp

      the back trace is as follows:
      0 0x00000000005470c9 in ReadBMPImage () 1 0x000000000044c7e7 in ReadImage
      () 2 0x000000000041a0cb in ConvertImageCommand () 3 0x00000000004277d0 in
      MagickCommand () 4 0x000000000043f0b1 in GMCommandSingle () 5
      0x000000000043f1b7 in GMCommand () 6 0x000000000040c846 in main ()

      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/graphicsmagick/bugs/541/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Bugs: #541

      alternate

  • Bob Friesenhahn

    Bob Friesenhahn - 2018-01-13

    This problem is fixed by Mercurial changeset 15332:52a91ddb1aa6. Thank you very much for reporting it.

     

    • Probe Fuzzer

      Probe Fuzzer - 2018-01-13

      Thanks for the fix.

       

Log in to post a comment.