Skip to content

Null Pointer Dereference in the IdentifyImage function within ImageMagick/MagickCore/identify.c #706

Closed
@kirit1193

Description

@kirit1193

A Null Pointer De-reference vulnerability is occurring due to the vulnerable code in the IdentifyImage function within ImageMagick/MagickCore/identify.c

The vulnerable code is as follows:

p=(const Quantum *) NULL;	
          for (y=0; y < (ssize_t) image->rows; y++)	
          {	
            p=GetVirtualPixels(image,0,y,image->columns,1,exception);	
            if (p == (const Quantum *) NULL)	
              break;	
            for (x=0; x < (ssize_t) image->columns; x++)	
              <code doesn’t reach here if p=NULL>
          }	

It is seen that p is being explicitly checked whether it is NULL and if it is, it breaks out of the for loop. Now the subsequent for loop modifies the value of p but due to the break statement, this doesn't occur.

Eventually, p is being used as an argument here in the GetPixelInfoPixel function:

GetPixelInfoPixel(image,p,&pixel);

Looking at the definition, p is passed into const Quantum *magick_restrict pixel, which is the 2nd argument. This is being explicitly de-referenced here:

pixel_info->red=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset];

There should be a check to verify if a pointer is NULL or not before any operations are performed on it, if it depends on user-input:

if (p != NULL) {
    <perform_operations>
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions