[Pkg-gmagick-im-team] Bug#870111: Stuck in LockSemaphoreInfo after reading a png with width==MAGICK_WIDTH_LIMIT #596

[Bastien ROUCARIES]

Source: imagemagick
Version: 8:6.9.7.4+dfsg-13
Severity: important
Tags: security upstream
X-Debbugs-CC: team at security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb9u1
forwarded: https://github.com/ImageMagick/ImageMagick/issues/596

It appears to still be an issue with
https://www.imagemagick.org/download/beta/ImageMagick-6.9.9-1~beta20170721.tar.xz.

If you try to read an image whose width exactly matches
MAGICK_WIDTH_LIMIT, ImageMagick returns a "width or height exceeds
limit" error, as expected. However, the next time you try to read a
png, it gets permanently stuck in LockSemaphoreInfo - I'm assuming
that the first time failed to unlock it.

I'm able to reproduce it with this code:

#include <stdio.h>
#include <string.h>
#include "magick/MagickCore.h"
#include "magick/magick-config.h"

void PrintImage(char* filename) {
ImageInfo* info = CloneImageInfo((ImageInfo *) NULL);
strcpy(info->filename, filename);
SetImageInfoFile(info, NULL);

ExceptionInfo *exception = AcquireExceptionInfo();
printf("Attempt to read %s\n", filename);
Image* image = ReadImage(info, exception);

printf("%s: %s %s\n", info->filename, exception->reason,
exception->description);
if (image) {
printf("%ix%i\n", image->columns, image->rows);
DestroyImage(image);
}
DestroyExceptionInfo(exception);
DestroyImageInfo(info);
}

int main(int argc, char *argv[]) {
if (argc < 2) {
printf("specify a filename to read\n");
return 1;
}

MagickCoreGenesis(*argv,MagickTrue);

PrintImage(argv[1]);
PrintImage(argv[1]);

return 0;
}

by passing it the path to a png file, with MAGICK_WIDTH_LIMIT set to
the exact width of that png.