On 1.3.27 (the latest version):
there is an in infinite loop and application hang in the ReadBMPImage function (coders/bmp.c), which can be triggered by the POC with the command: gm convert $POC OUTPUT
Looking into the ReadBMPImage function (coders/bmp.c), we found that in the "while" statement (line 1110), the "bmp_info.green_mask" could be manipulated by a crafted bmp file. When it is set to 0xFFFFFFFF, (bmp_info.green_mask << sample) & 0x80000000U) will always be True and the "sample" keeps increasing.
1109 sample=shift.green;
1110 while (((bmp_info.green_mask << sample) & 0x80000000U) != 0)
1111 sample++;
the back trace is as follows:
Thanks for the fix.
On Sat, Jan 13, 2018 at 2:18 PM, Bob Friesenhahn bfriesen@users.sf.net
wrote:
Related
Bugs:
#541This problem is fixed by Mercurial changeset 15332:52a91ddb1aa6. Thank you very much for reporting it.
Thanks for the fix.