Skip to content

Array Index Out of Bounds and Potential Buffer-Overflow due to user-controlled value being used as Array Index #705

Closed
@kirit1193

Description

@kirit1193

An issue affects ImageMagick/coders/thumbnail.c in the WriteTHUMBNAILImage function, where an externally controllable value is being used as an index in the process of generating a thumbnail image. This can lead to potential Buffer Overflow. The vulnerable code is:

offset=(ssize_t) StringToLong(property);
property=GetImageProperty(image,"exif:JPEGInterchangeFormatLength",exception);
if (property == (const char *) NULL)
  ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
length=(size_t) StringToLong(property);
(void) ResetMagickMemory(magick,0,sizeof(magick));
for (i=0; i < (ssize_t) length; i++)
  {
  magick[0]=magick[1];
  magick[1]=magick[2];
  magick[2]=GetStringInfoDatum(profile)[offset+i];
  if (memcmp(magick,"\377\330\377",3) == 0)
    break;
  }
thumbnail_image=BlobToImage(image_info,GetStringInfoDatum(profile)+offset+i-2,length,exception);

Here the offset variable gets its value from StringToLong being run on an input image.

This value of offset is not being sanitized before it is being used as an array index in:

magick[2]=GetStringInfoDatum(profile)[offset+i];

It is also being used to generate the thumbnail_image by calling the BlobToImage function, where the value of const void *blob depends on the value of offset.

Validation is being performed on whether *blob is NULL using:

if ((blob == (const void *) NULL) \|\| (length == 0))
  {
  (void) ThrowMagickException(exception,GetMagickModule(),BlobError,
  "ZeroLengthBlobNotPermitted","`%s'",image_info->filename);
  return((Image *) NULL);
  }

However, there are no checks on whether it is too large.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions