You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Null Pointer De-reference vulnerability is occurring due to the vulnerable code in the IdentifyImage function within ImageMagick/MagickCore/identify.c
The vulnerable code is as follows:
p=(const Quantum *) NULL;
for (y=0; y < (ssize_t) image->rows; y++)
{
p=GetVirtualPixels(image,0,y,image->columns,1,exception);
if (p == (const Quantum *) NULL)
break;
for (x=0; x < (ssize_t) image->columns; x++)
<code doesn’t reach here if p=NULL>
}
It is seen that p is being explicitly checked whether it is NULL and if it is, it breaks out of the for loop. Now the subsequent for loop modifies the value of p but due to the break statement, this doesn't occur.
Eventually, p is being used as an argument here in the GetPixelInfoPixel function:
GetPixelInfoPixel(image,p,&pixel);
Looking at the definition, p is passed into const Quantum *magick_restrict pixel, which is the 2nd argument. This is being explicitly de-referenced here:
A Null Pointer De-reference vulnerability is occurring due to the vulnerable code in the IdentifyImage function within ImageMagick/MagickCore/identify.c
The vulnerable code is as follows:
It is seen that p is being explicitly checked whether it is NULL and if it is, it breaks out of the for loop. Now the subsequent for loop modifies the value of p but due to the break statement, this doesn't occur.
Eventually, p is being used as an argument here in the GetPixelInfoPixel function:
GetPixelInfoPixel(image,p,&pixel);
Looking at the definition, p is passed into const Quantum *magick_restrict pixel, which is the 2nd argument. This is being explicitly de-referenced here:
pixel_info->red=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset];
There should be a check to verify if a pointer is NULL or not before any operations are performed on it, if it depends on user-input:
The text was updated successfully, but these errors were encountered: