Description of problem: combining a 32x32 and a 16x16 png images to a Windows icon created an image that crashes identify and convert Version-Release number of selected component (if applicable): 6.2.8.0-3.fc6 How reproducible: always Steps to Reproduce: 1. convert -adjoin logo32.png logo16.png logo.ico 2. identify logo-0.ico Actual results: Segmentation fault (core dumped) Expected results: logo-0.ico ICO 32x32 32x32+0+0 DirectClass 3.2kb or something like that Additional info: convert has the same problem: convert logo-0.ico logo-0.png Segmentation fault (core dumped) I can reproduce the same problem on x86_64 and i386
Created attachment 140748 [details] problematic icon file
Created attachment 141241 [details] corrupt file
I've can add the following conclusions: -imagemagick creates with the attached icon combined with a 16x16 file a corrupt .ico file -when using the corrupt image imagemagick crashes, Segmentation fault (see the image attached)
This issue is caused by an integer overflow in magick/image.c, line 301 or so: length=(size_t) colors*sizeof(PixelPacket); colors is 2147483648 Sizeof(PixelPacket) is 8 This leads to an improper memory allocation, which then scribbles data into the heap. I doubt this is exploitable beyond a DoS due to what is written to the heap. pixel=(unsigned long) (i*(QuantumRange/Max(colors-1,1))); The value of pixel is written onto the heap with each iteration of the loop. An attacker isn't able to control that value in a manner which is going to lead to arbitrary code execution. I admit, I'm no ImageMagick pro. We may want to kick this upstream for the proper fix. I can see a number of different places and ways to catch this error.
This segfaults just with 6.2.8.0 as is in RHEL5 and FC6 identify: Memory allocation failed `logo-0.ico'. I haven't investigated that to any extend, just tried it with older versions: FC5 on x86_64 fails more gracefully: identify: Memory allocation failed `/home/lkundrak/Desktop/logo-0.ico'. RHEL4 complains differently: identify: Improper image header `logo-0.ico'. identify: missing an image filename `logo-0.ico'.
I'm removing the security keyword on this flaw. Since there is no potential for arbitrary code execution, this is a bug whish will only result in a crash.
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
I cannot reproduce the problem on Fedora 8 with ImageMagick-6.3.5.9-1.fc8 $ identify logo-0.ico identify: Improper image header `logo-0.ico'.
I've just tried this with the latest ImageMagick from rawhide and adjoin-ing 2 .png's into an .ico indeed works fine now.