Bug 214745 - identify and convert crash on invalid icons
identify and convert crash on invalid icons
Product: Fedora
Classification: Fedora
Component: ImageMagick (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Norm Murray
Depends On:
  Show dependency treegraph
Reported: 2006-11-09 00:39 EST by Pavel Roskin
Modified: 2008-04-04 05:04 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-04 00:45:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
problematic icon file (3.19 KB, application/octet-stream)
2006-11-09 00:39 EST, Pavel Roskin
no flags Details
corrupt file (41.30 KB, image/x-ico)
2006-11-15 04:19 EST, Hans de Goede
no flags Details

  None (edit)
Description Pavel Roskin 2006-11-09 00:39:05 EST
Description of problem:
combining a 32x32 and a 16x16 png images to a Windows icon created an image that
crashes identify and convert

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. convert -adjoin logo32.png logo16.png logo.ico
2. identify logo-0.ico
Actual results:
Segmentation fault (core dumped)

Expected results:
logo-0.ico ICO 32x32 32x32+0+0 DirectClass 3.2kb
or something like that

Additional info:
convert has the same problem:

convert logo-0.ico logo-0.png
Segmentation fault (core dumped)

I can reproduce the same problem on x86_64 and i386
Comment 1 Pavel Roskin 2006-11-09 00:39:05 EST
Created attachment 140748 [details]
problematic icon file
Comment 2 Hans de Goede 2006-11-15 04:19:55 EST
Created attachment 141241 [details]
corrupt file
Comment 3 Hans de Goede 2006-11-15 04:24:54 EST
I've can add the following conclusions:
-imagemagick creates with the attached icon combined with a 16x16 file a corrupt
.ico file

-when using the corrupt image imagemagick crashes, Segmentation fault (see the
image attached)
Comment 4 Josh Bressers 2006-11-16 22:29:45 EST
This issue is caused by an integer overflow in magick/image.c, line 301 or so:

length=(size_t) colors*sizeof(PixelPacket);

colors is 2147483648
Sizeof(PixelPacket) is 8

This leads to an improper memory allocation, which then scribbles data into the
heap.  I doubt this is exploitable beyond a DoS due to what is written to the heap.

pixel=(unsigned long) (i*(QuantumRange/Max(colors-1,1)));

The value of pixel is written onto the heap with each iteration of the loop.  An
attacker isn't able to control that value in a manner which is going to lead to
arbitrary code execution.

I admit, I'm no ImageMagick pro.  We may want to kick this upstream for the
proper fix.  I can see a number of different places and ways to catch this error.
Comment 6 Lubomir Kundrak 2006-11-30 15:30:46 EST
This segfaults just with as is in RHEL5 and FC6
identify: Memory allocation failed `logo-0.ico'.

I haven't investigated that to any extend, just tried it with older versions:
FC5 on x86_64 fails more gracefully:

identify: Memory allocation failed `/home/lkundrak/Desktop/logo-0.ico'.

RHEL4 complains differently:

identify: Improper image header `logo-0.ico'.
identify: missing an image filename `logo-0.ico'.
Comment 7 Josh Bressers 2007-01-16 14:08:47 EST
I'm removing the security keyword on this flaw.  Since there is no potential for
arbitrary code execution, this is a bug whish will only result in a crash.
Comment 8 Bug Zapper 2008-04-04 00:32:59 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 9 Pavel Roskin 2008-04-04 00:45:30 EDT
I cannot reproduce the problem on Fedora 8 with ImageMagick-

$ identify logo-0.ico 
identify: Improper image header `logo-0.ico'.
Comment 10 Hans de Goede 2008-04-04 05:04:45 EDT
I've just tried this with the latest ImageMagick from rawhide and adjoin-ing 2
.png's into an .ico indeed works fine now.

Note You need to log in before you can comment on or make changes to this bug.