Menu

#655 BMP parser: Check on file size

v1.0_(example)
closed-wont-fix
Bob Friesenhahn
None
5
2021-12-24
2021-11-29
wqwang
No

I'm running identify on the image attached.

GraphicsMagick succeeds in parsing it, while ImageMagick complains

LengthAndFilesizeDoNotMatch ... @ error/bmp.c/ReadBMPImage/845.

The corresponding check in ImageMagick is

if ((MagickSizeType) bmp_info.file_size != blob_size)
  {
    const char *option;
    option=GetImageOption(image_info,"bmp:ignore-filesize");
    if (IsStringTrue(option) == MagickFalse)
      (void) ThrowMagickException(exception,GetMagickModule(),
        CorruptImageError,"LengthAndFilesizeDoNotMatch","`%s'",
        image->filename);
  }

It seems the BMP parser in GraphicsMagick doesn't check the file_size and data read length mismatch. Does GraphicsMagick trust the value that is put into the file_size field? I'm wondering if there's a missing check. Or would it be good to add a warning if data read length mismatches the size specified in the file?

1 Attachments
length.bmp

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2021-11-29

    On Mon, 29 Nov 2021, Weiqi Wang wrote:

    It seems the BMP parser in GraphicsMagick doesn't check the
    file_size and data read length mismatch. Does GraphicsMagick trust
    the value that is put into the file_size field? I'm wondering if
    there's a missing check. Or would it be good to add a warning if
    data read length mismatches the size specified in the file?

    As I recall, GraphicsMagick still supports concatenated BMP files so
    it does not make sense to require the claimed file_size to be the same
    as the whole data size.

    Also, we have noticed that some BMP files claim the wrong file_size
    even though they are otherwise ok.

    If you are able to cause GraphicsMagick to spend too much time reading
    a file, or cause it to do something horribly wrong, then please feel
    free to report a bug. Otherwise, please feel somewhat assured by the
    fact that GraphicsMagick has been undergoing automated analysis and
    fuzz testing for many years already and no problems have been found in
    the BMP reader for several years.

    Please see

    https://bugs.chromium.org/p/oss-fuzz/issues/list?q=imagemagick&can=1

    and

    https://bugs.chromium.org/p/oss-fuzz/issues/list?q=graphicsmagick&can=1

    You may notice that ImageMagick has had about 4.2X the number of
    issues as GraphicsMagick.

    Both projects have been very busy with fixing security issues over the
    years. The record speaks for itself.

    Bob

    Bob Friesenhahn
    bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
    GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
    Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt

     

  • Bob Friesenhahn

    Bob Friesenhahn - 2021-12-24
    • status: open --> closed-wont-fix
    • assigned_to: Bob Friesenhahn
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2021-12-24

    We have found that there are many slightly defective BMP files that users still want to be able to read. The file size parameter is sometimes slightly wrong because of bugs in the writing software. A decision was made to not reject files based on this file size parameter, which is not needed in order to successfully decode a BMP file.

    From a security standpoint, GraphicsMagick does check important things which might cause harm while reading (and writing). GraphicsMagick's BMP reader is continually fuzz tested and no security fixes have been required for it since 2019.

     

Log in to post a comment.

MongoDB Logo MongoDB