Legacy ImageMagick Discussions Archive

There is a SeekBlob by offset from image header in ReadICONImage() which eventually leads to ResizeQuantumMemory (i.e. realloc()) on images with inapropriate value in header in case of disabled map cache.

Consider the following context:
favicon.h

Code: Select all

$ wget http://paizatter.herokuapp.com/favicon.ico
$ md5sum favicon.ico 
fabab4819a6516484ad822dcd1bbe5fa  favicon.ico
$ xxd -i favicon.ico > favicon.h

test.c

Code: Select all

#include "magick/MagickCore.h"
#include "favicon.h"
 
int main(int argc, const char* argv[]) {
    MagickCoreGenesis(NULL, MagickFalse);
    SetMagickResourceLimit(MapResource, 0);
 
    ImageInfo* image_info = CloneImageInfo(NULL);
    strcpy(image_info->magick, "ICO");
    SetImageInfoBlob(image_info, favicon_ico, favicon_ico_len);
    ExceptionInfo* exc = AcquireExceptionInfo();
    ReadImage(image_info, exc);
}

./test effectively leads to something like

Code: Select all

*** Error in `./test': realloc(): invalid pointer: 0x0000000000601060 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7f0c7ed130cb]
/lib/x86_64-linux-gnu/libc.so.6(realloc+0x3b0)[0x7f0c7ed20710]
./magick/.libs/libMagickCore-6.Q16.so.4(ResizeMagickMemory+0x20)[0x7f0c7f1c2f00]
./magick/.libs/libMagickCore-6.Q16.so.4(SeekBlob+0x1c3)[0x7f0c7f0e71c3]
./magick/.libs/libMagickCore-6.Q16.so.4(+0x2535d4)[0x7f0c7f2b45d4]
./magick/.libs/libMagickCore-6.Q16.so.4(ReadImage+0x19a)[0x7f0c7f11b78a]

This comes from offset=1441792 being passed to SeekBlob of an image 6774 bytes long.
Look here https://github.com/ImageMagick/ImageMag ... con.c#L322

I fixed ImageMagick locally with the following patch:

Code: Select all

diff --git a/coders/icon.c b/coders/icon.c
index 7674e75..c7286fb 100644
--- a/coders/icon.c
+++ b/coders/icon.c
@@ -323,6 +323,9 @@ static Image *ReadICONImage(const ImageInfo *image_info,
     /*
       Verify Icon identifier.
     */
+    MagickSizeType blob_size = GetBlobSize(image);
+    if (blob_size > 0 && icon_file.directory[i].offset >= blob_size)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     offset=(ssize_t) SeekBlob(image,(MagickOffsetType)
       icon_file.directory[i].offset,SEEK_SET);
     if (offset < 0)

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Legacy ImageMagick Discussions Archive

Image blob realloc attempt on bad ICO file

Image blob realloc attempt on bad ICO file

Re: Image blob realloc attempt on bad ICO file