Summary
Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.
Details
Root Cause
montage -geometry ":" ... reaches MagickCore/geometry.c:GetGeometry().StringToDouble/InterpretLocaleValue parses ":" as 0.0; then:
|
*width=CastDoubleToSizeT(StringToDouble(p,&p)+0.5); |
WidthValue (and/or HeightValue) is set with a zero dimension.- In MagickCore/resize.c:ThumbnailImage(), the code computes:
|
x_factor, |
|
y_factor; |
|
|
|
x_factor=(ssize_t) image->columns/(ssize_t) columns; |
|
y_factor=(ssize_t) image->rows/(ssize_t) rows; |
causing a division by zero and immediate crash.
The issue is trivially triggerable without external input files (e.g., using xc:white).
Reproduction
Environment
Version: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org
Features: Cipher DPC HDRI
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib
Compiler: clang (14.0.0)
OS/Arch: Linux x86_64
Steps
./bin/magick montage -geometry : xc:white null:
Observed result
IOT instruction (core dumped)
# (Environment-dependent: SIGFPE/abort may be observed.)
PoC
No external file required; the pseudo image xc:white suffices:
./bin/magick montage -geometry : xc:white null:
Impact
- Denial of Service: A divide-by-zero in
ThumbnailImage() causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.
Suggested fix
Defensively reject zero dimensions early in ThumbnailImage():
if ((columns == 0) || (rows == 0)) {
(void) ThrowMagickException(exception, GetMagickModule(), OptionError,
"InvalidGeometry", "thumbnail requires non-zero dimensions: %.20gx%.20g",
(double) columns, (double) rows);
return (Image *) NULL;
}Additionally, consider tightening validation in GetGeometry() so that colon-only (and similar malformed) inputs do not yield WidthValue/HeightValue with zero, or are rejected outright. Variants like "x:" or ":x" may also need explicit handling (maintainer confirmation requested).
Credits
Team Daemon Fuzz Hunters
Bug Hunting Master Program, HSpace/Findthegap
Woojin Park
@jin-156
[email protected]
Hojun Lee
@leehohojune
[email protected]
Youngin Won
@amethyst0225
[email protected]
Siyeon Han
@hanbunny
[email protected]
amethyst0225 Reporter
leehohojune Reporter
jin-156 Reporter
Summary
Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.
Details
Root Cause
montage -geometry ":" ...reachesMagickCore/geometry.c:GetGeometry().StringToDouble/InterpretLocaleValueparses":"as0.0;then:ImageMagick/MagickCore/geometry.c
Line 355 in 0ba1b58
WidthValue(and/orHeightValue)is set with a zero dimension.ImageMagick/MagickCore/resize.c
Lines 4625 to 4629 in 0ba1b58
causing a division by zero and immediate crash.
The issue is trivially triggerable without external input files (e.g., using
xc:white).Reproduction
Environment
Steps
Observed result
PoC
No external file required; the pseudo image xc:white suffices:
Impact
ThumbnailImage()causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.Suggested fix
Defensively reject zero dimensions early in
ThumbnailImage():Additionally, consider tightening validation in
GetGeometry()so that colon-only (and similar malformed) inputs do not yieldWidthValue/HeightValuewith zero, or are rejected outright. Variants like"x:"or":x"may also need explicit handling (maintainer confirmation requested).Credits
Team Daemon Fuzz Hunters
Bug Hunting Master Program, HSpace/Findthegap
Woojin Park
@jin-156
[email protected]
Hojun Lee
@leehohojune
[email protected]
Youngin Won
@amethyst0225
[email protected]
Siyeon Han
@hanbunny
[email protected]