Null Pointer Dereference in the IdentifyImage function within ImageMagick/MagickCore/identify.c

[kirit1193]

A Null Pointer De-reference vulnerability is occurring due to the vulnerable code in the IdentifyImage function within ImageMagick/MagickCore/identify.c

The vulnerable code is as follows:

p=(const Quantum *) NULL;	
          for (y=0; y < (ssize_t) image->rows; y++)	
          {	
            p=GetVirtualPixels(image,0,y,image->columns,1,exception);	
            if (p == (const Quantum *) NULL)	
              break;	
            for (x=0; x < (ssize_t) image->columns; x++)	
              <code doesn’t reach here if p=NULL>
          }	

It is seen that p is being explicitly checked whether it is NULL and if it is, it breaks out of the for loop. Now the subsequent for loop modifies the value of p but due to the break statement, this doesn't occur.

Eventually, p is being used as an argument here in the GetPixelInfoPixel function:

GetPixelInfoPixel(image,p,&pixel);

Looking at the definition, p is passed into const Quantum *magick_restrict pixel, which is the 2nd argument. This is being explicitly de-referenced here:

pixel_info->red=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset];

There should be a check to verify if a pointer is NULL or not before any operations are performed on it, if it depends on user-input:

if (p != NULL) {
    <perform_operations>
}

[mikayla-grace]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2017-13768.