You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Y] I have verified that I am using the latest version of ImageMagick
[Y] I have searched open and closed issues to ensure it has not already been reported.
Description
There is a segmentation fault caused by the NPD in function ReadSVGImage, svg.c:3621 in ImageMagick 7.0.10.
ImageMagick does not check the nullity of the pointer returned from libxml2 and dereference it directly.
This directly leads to program crashes and segmentation fault.
Steps to Reproduce
1, To ensure reproduce, I use up space in the /tmp folder as a low-level privilege user.
For example, to facilitate the reproducation,
Environment (Operating system, version and so on):
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"
Prerequisites
Description
There is a segmentation fault caused by the NPD in function ReadSVGImage, svg.c:3621 in ImageMagick 7.0.10.
ImageMagick does not check the nullity of the pointer returned from libxml2 and dereference it directly.
This directly leads to program crashes and segmentation fault.
Steps to Reproduce
1, To ensure reproduce, I use up space in the /tmp folder as a low-level privilege user.
For example, to facilitate the reproducation,
2, Run:
seg-svg3621.zip (unzip first)
Here is the trace reported by ASAN:
System Configuration
ImageMagick version:
Version: ImageMagick 7.0.10-31 Q16 x86_64 2020-09-22 https://imagemagick.org
Copyright: © 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.0)
Delegates (built-in): bzlib fontconfig freetype jng jp2 jpeg lzma png x xml zlib
Environment (Operating system, version and so on):
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"
Additional information:
Here is the link for the function xmlCreatePushParserCtxt in libxml2,
![image](https://user-images.githubusercontent.com/7632714/94231402-843b0a00-ff36-11ea-9eb0-ed51025e4671.png)
which indicates the return value can be NULL if fails.
https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/parser.c#L12375
The text was updated successfully, but these errors were encountered: