Skip to content

Null Pointer Dereference triggered by malformed Image File #716

Closed
@kirit1193

Description

@kirit1193

A Null Pointer Dereference issue is present in the AcquireQuantumMemory function in the file ImageMagick/MagickCore/memory.c. This is due to the following vulnerable code:

if (n != 0)
   {
   dasharray=(double *) AcquireQuantumMemory((size_t) n+1UL,
   sizeof(*dasharray));
   p=CurrentContext->dash_pattern;
   q=dasharray;
   for (i=0; i < (ssize_t) n; i++)
      *q++=(*p++);
   *q=0.0;
   }

The variable dasharray gets the output of AcquireQuantumMemory. Looking at the code within this function, the following code explicitly returns NULL:

if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
   return((void *) NULL);

Eventually q gets the value stored in dasharray (which is potentially NULL) in q=dasharray;

Finally, q gets explicitly dereferenced in *q++=(*p++);

Using

if (q != NULL)
   *q++=(*p++);

would resolve the Null Pointer Dereference vulnerability.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions