Description
A Null Pointer De-reference vulnerability is occurring due to the vulnerable code in the IdentifyImage function within ImageMagick/MagickCore/identify.c
The vulnerable code is as follows:
p=(const Quantum *) NULL;
for (y=0; y < (ssize_t) image->rows; y++)
{
p=GetVirtualPixels(image,0,y,image->columns,1,exception);
if (p == (const Quantum *) NULL)
break;
for (x=0; x < (ssize_t) image->columns; x++)
<code doesn’t reach here if p=NULL>
}
It is seen that p is being explicitly checked whether it is NULL and if it is, it breaks out of the for loop. Now the subsequent for loop modifies the value of p but due to the break statement, this doesn't occur.
Eventually, p is being used as an argument here in the GetPixelInfoPixel function:
GetPixelInfoPixel(image,p,&pixel);
Looking at the definition, p is passed into const Quantum *magick_restrict pixel, which is the 2nd argument. This is being explicitly de-referenced here:
pixel_info->red=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset];
There should be a check to verify if a pointer is NULL or not before any operations are performed on it, if it depends on user-input:
if (p != NULL) {
<perform_operations>
}