Closed
Description
Version: ImageMagick 7.0.6-1 Q16 x86_64
$magick identify $FILE
Here is the critical code
if (memcmp(type,mng_MOVE,4) == 0) //type can be controlled as it is from file data
{
size_t
first_object,
last_object;
/* read MOVE */
if (length > 3)
{
first_object=(p[0] << 8) | p[1]; //fist_object can be controlled as p[...] is from file data
last_object=(p[2] << 8) | p[3]; //last_object can be controlled as p[...] is from file data, it's value can reach (65535)
p+=4;
for (i=(ssize_t) first_object; i <= (ssize_t) last_object; i++)
{
if (mng_info->exists[i] && !mng_info->frozen[i] &&
(p-chunk) < (ssize_t) (length-8))
{
MngPair
new_pair;
MngPair
old_pair;
old_pair.a=mng_info->x_off[i]; //x_off is from struct _MngInfo, 'x_off[MNG_MAX_OBJECTS]', and '#define MNG_MAX_OBJECTS 256'
old_pair.b=mng_info->y_off[i];
new_pair=mng_read_pair(old_pair,(int) p[0],&p[1]);
mng_info->x_off[i]=new_pair.a;
mng_info->y_off[i]=new_pair.b;
}
}
}
chunk=(unsigned char *) RelinquishMagickMemory(chunk);
continue;
}
So a crafted file will cause x_off[i] out-of-bound operation vulnerability.
POC: https://github.com/jgj212/poc/blob/master/heap-mng
Credit: ADLab of Venustech