Null Pointer dereference caused by incomplete check of the return value from libxml2 in ReadSVGImage svg.c:3621

[5hadowblad3]

Prerequisites

• [Y ] I have written a descriptive issue title
• [Y] I have verified that I am using the latest version of ImageMagick
• [Y] I have searched open and closed issues to ensure it has not already been reported.

Description

There is a segmentation fault caused by the NPD in function ReadSVGImage, svg.c:3621 in ImageMagick 7.0.10.
ImageMagick does not check the nullity of the pointer returned from libxml2 and dereference it directly.
This directly leads to program crashes and segmentation fault.

Steps to Reproduce

1, To ensure reproduce, I use up space in the /tmp folder as a low-level privilege user.
For example, to facilitate the reproducation,

fallocate -l size_of_the_tmp_folder /tmp/test.img

2, Run:

magick convert poc ./test.ps

seg-svg3621.zip (unzip first)

Here is the trace reported by ASAN:

ASAN:SIGSEGV
=================================================================
==112350==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000009fec8c bp 0x62700001f900 sp 0x7ffd383e31c0 T0)
    #0 0x9fec8b in ReadSVGImage ../coders/svg.c:3621
    #1 0xc8ba0c in ReadImage ../MagickCore/constitute.c:553
    #2 0x8dfbc1 in ReadPESImage ../coders/pes.c:673
    #3 0xc8ba0c in ReadImage ../MagickCore/constitute.c:553
    #4 0xc8ecbc in ReadImages ../MagickCore/constitute.c:943
    #5 0x12bfaef in ConvertImageCommand ../MagickWand/convert.c:607
    #6 0x13fd865 in MagickCommandGenesis ../MagickWand/mogrify.c:191
    #7 0x43992d in MagickMain ../utilities/magick.c:149
    #8 0x7efd17fa982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x439168 in _start (/mnt/data/playground/ImageMagick/build-asan/utilities/magick+0x439168)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../coders/svg.c:3621 ReadSVGImage
==112350==ABORTING

System Configuration

CFLAGS='-I/usr/include/libxml2 -I/usr/include/libpng12  -I/usr/include/openjpeg-2.1 -I/usr/include/freetype2 -I/usr/include/freetype2  -fopenmp -Wall -O0 -g -fsanitize=address  -mtune=broadwell -fexceptions -pthread -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16'

• ImageMagick version:
  Version: ImageMagick 7.0.10-31 Q16 x86_64 2020-09-22 https://imagemagick.org
  Copyright: © 1999-2020 ImageMagick Studio LLC
  License: https://imagemagick.org/script/license.php
  Features: Cipher DPC HDRI OpenMP(4.0)
  Delegates (built-in): bzlib fontconfig freetype jng jp2 jpeg lzma png x xml zlib

• Environment (Operating system, version and so on):
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=16.04
  DISTRIB_CODENAME=xenial
  DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"

• Additional information:

Here is the link for the function xmlCreatePushParserCtxt in libxml2,
which indicates the return value can be NULL if fails.
https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/parser.c#L12375

[dlemstra]

Thanks for the detailed report. We just pushed a patch to resolve this.