Null Pointer Dereference vulnerability triggered by malformed image files

[kirit1193]

A Null-Pointer Dereference issues is present in the QueueAuthenticPixelCacheNexus function within the ImageMagick/MagickCore/cache.c file. The vulnerable code is as follows:

for (i=0; i < (ssize_t)image->rows; i++)
   {
   q=QueueAuthenticPixels(image,0,i,image->columns,1,exception);
   for (j=0; j < (ssize_t)image->columns; j++)
      {
      if (GetPixelRed(image,q) == ScaleCharToQuantum(1))
         {
         <some code>
      }

Here, the variable q is getting the output of the function QueueAuthenticPixels. This function, in turn calls:

pixels=QueueAuthenticPixelCacheNexus(image,x,y,columns,rows,MagickFalse,cache_info->nexus_info[id],exception);
return(pixels);

The QueueAuthenticPixelCacheNexus function performs a series of asserts are explicitly returns NULL:

assert(image != (const Image *) NULL);
assert(image->signature == MagickCoreSignature);
assert(image->cache != (Cache) NULL);
cache_info=(CacheInfo *) GetImagePixelCache(image,clone,exception);
if (cache_info == (Cache) NULL)
   return((Quantum *) NULL);

Once this NULL is returned back to the original function via return(pixels);, q gets the NULL value.

It gets used in a function call: GetPixelRed(image,q)

It is finally de-referenced in GetPixelRed in the following line:

return(pixel[image->channel_map[RedPixelChannel].offset]);

Modifying the code to:

if (q != NULL)
   GetPixelRed(image,q);

Would avoid this vulnerability.

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[fgeek]

Please use CVE-2017-14060 for this issue.

[kirit1193]

Thanks @fgeek!