Image blob realloc attempt on bad ICO file

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
realtim
Posts: 4
Joined: 2017-01-19T11:20:51-07:00
Authentication code: 1151

Image blob realloc attempt on bad ICO file

Post by realtim »

There is a SeekBlob by offset from image header in ReadICONImage() which eventually leads to ResizeQuantumMemory (i.e. realloc()) on images with inapropriate value in header in case of disabled map cache.

Consider the following context:
favicon.h

Code: Select all

$ wget http://paizatter.herokuapp.com/favicon.ico
$ md5sum favicon.ico 
fabab4819a6516484ad822dcd1bbe5fa  favicon.ico
$ xxd -i favicon.ico > favicon.h
test.c

Code: Select all

#include "magick/MagickCore.h"
#include "favicon.h"
 
int main(int argc, const char* argv[]) {
    MagickCoreGenesis(NULL, MagickFalse);
    SetMagickResourceLimit(MapResource, 0);
 
    ImageInfo* image_info = CloneImageInfo(NULL);
    strcpy(image_info->magick, "ICO");
    SetImageInfoBlob(image_info, favicon_ico, favicon_ico_len);
    ExceptionInfo* exc = AcquireExceptionInfo();
    ReadImage(image_info, exc);
} 
./test effectively leads to something like

Code: Select all

*** Error in `./test': realloc(): invalid pointer: 0x0000000000601060 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x790cb)[0x7f0c7ed130cb]
/lib/x86_64-linux-gnu/libc.so.6(realloc+0x3b0)[0x7f0c7ed20710]
./magick/.libs/libMagickCore-6.Q16.so.4(ResizeMagickMemory+0x20)[0x7f0c7f1c2f00]
./magick/.libs/libMagickCore-6.Q16.so.4(SeekBlob+0x1c3)[0x7f0c7f0e71c3]
./magick/.libs/libMagickCore-6.Q16.so.4(+0x2535d4)[0x7f0c7f2b45d4]
./magick/.libs/libMagickCore-6.Q16.so.4(ReadImage+0x19a)[0x7f0c7f11b78a]
This comes from offset=1441792 being passed to SeekBlob of an image 6774 bytes long.
Look here https://github.com/ImageMagick/ImageMag ... con.c#L322

I fixed ImageMagick locally with the following patch:

Code: Select all

diff --git a/coders/icon.c b/coders/icon.c
index 7674e75..c7286fb 100644
--- a/coders/icon.c
+++ b/coders/icon.c
@@ -323,6 +323,9 @@ static Image *ReadICONImage(const ImageInfo *image_info,
     /*
       Verify Icon identifier.
     */
+    MagickSizeType blob_size = GetBlobSize(image);
+    if (blob_size > 0 && icon_file.directory[i].offset >= blob_size)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     offset=(ssize_t) SeekBlob(image,(MagickOffsetType)
       icon_file.directory[i].offset,SEEK_SET);
     if (offset < 0)
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Image blob realloc attempt on bad ICO file

Post by magick »

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
Post Reply