Closed
Description
Version: ImageMagick 7.0.6-6 Q16 x86_64
#./magick identify $FILE
When identify SFW file ,a heap buffer overflow vulnerability was found in function ReadSFWImage in coders/sfw.c, Here is the critical code:
header=SFWScan(buffer,buffer+count-1,(const unsigned char *) //271
"\377\310\377\320",4);
In function SFWScan:
static unsigned char *SFWScan(const unsigned char *p,const unsigned char *q,
const unsigned char *target,const size_t length)
{
register ssize_t
i;
if ((p+length) < q)
while (p < q)
{
for (i=0; i < (ssize_t) length; i++)
if (p[i] != target[i]) // 133 heap buffer overflow
break;
if (i == (ssize_t) length)
return((unsigned char *) p);
p++;
}
return((unsigned char *) NULL);
}
The memory space of the heap buffer "p", is p~q (from p[0] to p[q-p-1]), but in the for-loop of while,the "p[i]" will lead to heap buffer overflow.
testcase: https://github.com/bestshow/p0cs/blob/master/heap_buffer_overflow_in_SFWScan
Credit:ADLab of Venustech