Closed
Description
Version: ImageMagick 7.0.6-1 Q16 x86_64
#./magick identify $FILE
When identify WMF file , a crafted file revealed a use-after-free vulnerability.
A piece of memory was allocated in in function wmf_malloc.(api.c)
mem = malloc (size); //482
Free:(api.c, in function wmf_lite_destory )
free (MM->list[MM->count]); //336
Use after free: (wmf.c, in function ReadWMFImage)
if (ddata->draw_info != (DrawInfo *) NULL) //2682
testcase: https://github.com/bestshow/p0cs/blob/master/use-after-free-in-ReadWMFImage
Credit: ADLab of Venustech