Skip to content

use after free in ReadWMFImage #555

Closed
@bestshow

Description

@bestshow

Version: ImageMagick 7.0.6-1 Q16 x86_64

#./magick identify $FILE

When identify WMF file , a crafted file revealed a use-after-free vulnerability.
A piece of memory was allocated in in function wmf_malloc.(api.c)
mem = malloc (size); //482

Free:(api.c, in function wmf_lite_destory )
free (MM->list[MM->count]); //336

Use after free: (wmf.c, in function ReadWMFImage)
if (ddata->draw_info != (DrawInfo *) NULL) //2682
testcase: https://github.com/bestshow/p0cs/blob/master/use-after-free-in-ReadWMFImage
Credit: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions