मंदार
2009-10-30 12:07:27 UTC
Hi,
I am using ImageMagic-5.5.7 version and Solaris operating system.
The ReadBMPImage() method is reading the image's width and height as long
integers but then casting them as (short) which will truncate the height
4294967136 to -160.
Please see code following code snippet (when bmp_info is negative):
file - bmp.c, In function "ReadBMPImage"
Line no - 1253
if (bmp_info.height < 0)
In function “ReadBMPImage” it corrects the orientation and creates flipped
image and calls “FlipImage” function as follows,
flipped_image=FlipImage(image,exception);
In the “FlipImage” function to initialize flip image attributes it calls
“CloneImage” function.
flip_image=CloneImage(image,image->columns,image->rows,True
,exception);
In “CloneImage” function it is setting “image->blob->type” to
“UndefinedStream”.
Then it is calling "ReadBlob()" function ( then ReadInlineBlob() function)
Line no- 1279
(void) ReadBlob(image,2,(char *) magick);
In ReadInlineBlob() function, the following statement calls "abort" and
terminates program.
assert(image->blob->type != UndefinedStream);
This will always cause this problem when bmp_info.height is negative.
Please see following code, which is setting “clone_image->blob” to
“UndefinedStream”. (See highlighted variables)
</snip>
MagickExport Image *CloneImage(const Image *image,const unsigned long
columns,
const unsigned long rows,const unsigned int orphan,ExceptionInfo
*exception)
{
//Here value of orphan is hardcoded as true.
……………
if (orphan)
clone_image->blob=CloneBlobInfo((BlobInfo *) NULL);
else
{
clone_image->blob=ReferenceBlob(image->blob);
</snip>
I have investigated more on this, where the value of "bmp_info.height " is
set to negative.
Analysis:--
Here "ReadBMPImage" method reads a Microsoft Windows bitmap image file.
Line no - 600 (bmp.c) In else part.
bmp_info.height=(short) ReadBlobLSBLong(image);
Here data type for height is long, and method "ReadBlobLSBLong" returns
unsigned long value,
And here unsigned long value is trucated using (short), so it causing the
value of bmp_info.height to negative value.
Now my question is that, why unsigned long value is type casted to short?
and If there is any genuine reason behind this type casting then it will
always cause the program termination.
I think data type for height and width should be "unsigned long", and remove
casting i.e. to short.
Please correct me if I am wrong.
In case of any query please reply.
Regards,
Mandar Choure.
I am using ImageMagic-5.5.7 version and Solaris operating system.
The ReadBMPImage() method is reading the image's width and height as long
integers but then casting them as (short) which will truncate the height
4294967136 to -160.
Please see code following code snippet (when bmp_info is negative):
file - bmp.c, In function "ReadBMPImage"
Line no - 1253
if (bmp_info.height < 0)
In function “ReadBMPImage” it corrects the orientation and creates flipped
image and calls “FlipImage” function as follows,
flipped_image=FlipImage(image,exception);
In the “FlipImage” function to initialize flip image attributes it calls
“CloneImage” function.
flip_image=CloneImage(image,image->columns,image->rows,True
,exception);
In “CloneImage” function it is setting “image->blob->type” to
“UndefinedStream”.
Then it is calling "ReadBlob()" function ( then ReadInlineBlob() function)
Line no- 1279
(void) ReadBlob(image,2,(char *) magick);
In ReadInlineBlob() function, the following statement calls "abort" and
terminates program.
assert(image->blob->type != UndefinedStream);
This will always cause this problem when bmp_info.height is negative.
Please see following code, which is setting “clone_image->blob” to
“UndefinedStream”. (See highlighted variables)
</snip>
MagickExport Image *CloneImage(const Image *image,const unsigned long
columns,
const unsigned long rows,const unsigned int orphan,ExceptionInfo
*exception)
{
//Here value of orphan is hardcoded as true.
……………
if (orphan)
clone_image->blob=CloneBlobInfo((BlobInfo *) NULL);
else
{
clone_image->blob=ReferenceBlob(image->blob);
</snip>
I have investigated more on this, where the value of "bmp_info.height " is
set to negative.
Analysis:--
Here "ReadBMPImage" method reads a Microsoft Windows bitmap image file.
Line no - 600 (bmp.c) In else part.
bmp_info.height=(short) ReadBlobLSBLong(image);
Here data type for height is long, and method "ReadBlobLSBLong" returns
unsigned long value,
And here unsigned long value is trucated using (short), so it causing the
value of bmp_info.height to negative value.
Now my question is that, why unsigned long value is type casted to short?
and If there is any genuine reason behind this type casting then it will
always cause the program termination.
I think data type for height and width should be "unsigned long", and remove
casting i.e. to short.
Please correct me if I am wrong.
In case of any query please reply.
Regards,
Mandar Choure.