Closed
Description
A Null-Pointer Dereference issues is present in the QueueAuthenticPixelCacheNexus function within the ImageMagick/MagickCore/cache.c file. The vulnerable code is as follows:
for (i=0; i < (ssize_t)image->rows; i++)
{
q=QueueAuthenticPixels(image,0,i,image->columns,1,exception);
for (j=0; j < (ssize_t)image->columns; j++)
{
if (GetPixelRed(image,q) == ScaleCharToQuantum(1))
{
<some code>
}
Here, the variable q is getting the output of the function QueueAuthenticPixels. This function, in turn calls:
pixels=QueueAuthenticPixelCacheNexus(image,x,y,columns,rows,MagickFalse,cache_info->nexus_info[id],exception);
return(pixels);
The QueueAuthenticPixelCacheNexus function performs a series of asserts are explicitly returns NULL:
assert(image != (const Image *) NULL);
assert(image->signature == MagickCoreSignature);
assert(image->cache != (Cache) NULL);
cache_info=(CacheInfo *) GetImagePixelCache(image,clone,exception);
if (cache_info == (Cache) NULL)
return((Quantum *) NULL);
Once this NULL is returned back to the original function via return(pixels);, q gets the NULL value.
It gets used in a function call: GetPixelRed(image,q)
It is finally de-referenced in GetPixelRed in the following line:
return(pixel[image->channel_map[RedPixelChannel].offset]);
Modifying the code to:
if (q != NULL)
GetPixelRed(image,q);
Would avoid this vulnerability.