Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Division by zero in WriteAnimatedWEBPImage() in coders/webp.c #3176

Closed
hifoolno opened this issue Feb 2, 2021 · 2 comments
Closed

Division by zero in WriteAnimatedWEBPImage() in coders/webp.c #3176

hifoolno opened this issue Feb 2, 2021 · 2 comments

Comments

@hifoolno
Copy link
Contributor

hifoolno commented Feb 2, 2021

When image->ticks_per_second was set to zero, a division by zero error would happen in line 961. So a crafted file may trigger undefined behavior in the form of division by zero. Maybe there need a PerceptibleReciprocal() to do division in line 961?

ImageMagick/coders/webp.c

Lines 936 to 967 in 74f8868

while (image != NULL)
{
status=(MagickBooleanType) WebPPictureInit(&picture);
if (status == MagickFalse)
{
(void) ThrowMagickException(exception,GetMagickModule(),
ResourceLimitError,"UnableToEncodeImageFile","`%s'",image->filename);
break;
}
status=WriteSingleWEBPPicture(image_info,image,configure,&picture,
exception);
if (status == MagickFalse)
break;
status=(MagickBooleanType) WebPAnimEncoderAdd(enc,&picture,
(int) frame_timestamp,configure);
WebPPictureFree(&picture);
if (status == MagickFalse)
{
(void) ThrowMagickException(exception,GetMagickModule(),
CoderError,WebPAnimEncoderGetError(enc),"`%s'",image->filename);
break;
}
effective_delta=image->delay*1000/image->ticks_per_second;
if (effective_delta < 10)
effective_delta=100; /* Consistent with gif2webp */
frame_timestamp+=effective_delta;
image=GetNextImageInList(image);
}

urban-warrior pushed a commit that referenced this issue Feb 3, 2021
https://github.com/ImageMagick/ImageMagick/issues/3176
ffb683e
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Feb 3, 2021
https://github.com/ImageMagick/ImageMagick/issues/3176
a78d92d
@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/download/beta/ by sometime tomorrow.

@carnil
Copy link

carnil commented Feb 17, 2021

CVE-2021-20245 appears to have been assigned to this issue.

@armorcodegithubpreprod armorcodegithubpreprod bot mentioned this issue Mar 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @urban-warrior @hifoolno