A possible divide by zero bug in GetVirtualPixelCacheNexus

[yiyuaner]

Prerequisites

• I have written a descriptive issue title
• I have searched open and closed issues to ensure it has not already been reported
• I have verified that I am using the latest version of ImageMagick

ImageMagick version

7.0.11-11

Operating system

Linux

Operating system, version and so on

CentOS

Description

In file MagickCore/cache.c, the function GetVirtualPixelCacheNexus has the following code:

case MirrorVirtualPixelMethod:
{
    x_modulo=VirtualPixelModulo(x_offset,cache_info->columns);

While in VirtualPixelModulo, the second argument cache_info->columns is used as a divsor:

static inline MagickModulo VirtualPixelModulo(const ssize_t offset,
  const size_t extent)
{
  MagickModulo
    modulo;

  modulo.quotient=offset/((ssize_t) extent);

If cache_info->columns equals to 0, then we will have a divide by zero problem. I think it is possible because of the following code in the same function:

for (u=0; u < (ssize_t) columns; u+=length)
{
    ssize_t x_offset;

    x_offset=x+u;
    length=(MagickSizeType) MagickMin(cache_info->columns-x_offset,columns-u);
    if (((x_offset < 0) || (x_offset >= (ssize_t) cache_info->columns)) ||
        ((y_offset < 0) || (y_offset >= (ssize_t) cache_info->rows)) ||
        (length == 0))
    {

The above code explicitly checks length against 0, and length may be equal to cache_info->columns when x_offset is 0. Thus, it seems reasonable to assume that cache_info->columns may be equal to 0.

Steps to Reproduce

Similarly to issue 3642, this bug is found by static analysis and currently has no POC. Please see the detailed description above and verify if it is genuine, thanks!

Images

No response

[urban-warrior]

Columns can never be zero, at least theoretically. However, no harm in checking for this condition. We'll add a patch. Thanks.