Infinite loop on corrupt pnm images
Posted: 2006-10-24T10:32:44-07:00
I found my code hanging forever trying to read a .pgm image file. The image file turned out to be corrupt, so it wouldn't have been able to read it, but the hanging was really a problem. I tracked it down to coders/pnm.c. (I am using ImageMagick 6.2.8 on linux, though I was able to reproduce the bug in 6.3.0 also, so it is still there.)
According to the docs at http://netpbm.sourceforge.net/doc/#formats, the largest allowable max_value is 65535, but this isn't being checked in the code. I had a value that was 2^32-1, and the below loop in ReadPNMImage, line 408 of coders/pnm.c, was going on forever:
for (image->depth=1; (1UL << image->depth) < max_value; image->depth++);
I preceded this line by the following check and it seemed to clear up the problem:
if (max_value >= 65536)
ThrowReaderException(CorruptImageError,"MaxPixelValueTooLarge");
Just wanted to pass this on, so someone can check that this is right and put it back into the codebase. Thanks.
According to the docs at http://netpbm.sourceforge.net/doc/#formats, the largest allowable max_value is 65535, but this isn't being checked in the code. I had a value that was 2^32-1, and the below loop in ReadPNMImage, line 408 of coders/pnm.c, was going on forever:
for (image->depth=1; (1UL << image->depth) < max_value; image->depth++);
I preceded this line by the following check and it seemed to clear up the problem:
if (max_value >= 65536)
ThrowReaderException(CorruptImageError,"MaxPixelValueTooLarge");
Just wanted to pass this on, so someone can check that this is right and put it back into the codebase. Thanks.