Skip to content

Null Pointer Dereference vulnerability triggered by malformed image files #710

Closed
@kirit1193

Description

@kirit1193

A Null-Pointer Dereference issues is present in the QueueAuthenticPixelCacheNexus function within the ImageMagick/MagickCore/cache.c file. The vulnerable code is as follows:

for (i=0; i < (ssize_t)image->rows; i++)
   {
   q=QueueAuthenticPixels(image,0,i,image->columns,1,exception);
   for (j=0; j < (ssize_t)image->columns; j++)
      {
      if (GetPixelRed(image,q) == ScaleCharToQuantum(1))
         {
         <some code>
      }

Here, the variable q is getting the output of the function QueueAuthenticPixels. This function, in turn calls:

pixels=QueueAuthenticPixelCacheNexus(image,x,y,columns,rows,MagickFalse,cache_info->nexus_info[id],exception);
return(pixels);

The QueueAuthenticPixelCacheNexus function performs a series of asserts are explicitly returns NULL:

assert(image != (const Image *) NULL);
assert(image->signature == MagickCoreSignature);
assert(image->cache != (Cache) NULL);
cache_info=(CacheInfo *) GetImagePixelCache(image,clone,exception);
if (cache_info == (Cache) NULL)
   return((Quantum *) NULL);

Once this NULL is returned back to the original function via return(pixels);, q gets the NULL value.

It gets used in a function call: GetPixelRed(image,q)

It is finally de-referenced in GetPixelRed in the following line:

return(pixel[image->channel_map[RedPixelChannel].offset]);

Modifying the code to:

if (q != NULL)
   GetPixelRed(image,q);

Would avoid this vulnerability.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions