Null Pointer Dereference triggered by malformed Image File

[kirit1193]

A Null Pointer Dereference issue is present in the AcquireQuantumMemory function in the file ImageMagick/MagickCore/memory.c. This is due to the following vulnerable code:

if (n != 0)
   {
   dasharray=(double *) AcquireQuantumMemory((size_t) n+1UL,
   sizeof(*dasharray));
   p=CurrentContext->dash_pattern;
   q=dasharray;
   for (i=0; i < (ssize_t) n; i++)
      *q++=(*p++);
   *q=0.0;
   }

The variable dasharray gets the output of AcquireQuantumMemory. Looking at the code within this function, the following code explicitly returns NULL:

if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
   return((void *) NULL);

Eventually q gets the value stored in dasharray (which is potentially NULL) in q=dasharray;

Finally, q gets explicitly dereferenced in *q++=(*p++);

Using

if (q != NULL)
   *q++=(*p++);

would resolve the Null Pointer Dereference vulnerability.

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[fgeek]

https://nvd.nist.gov/vuln/detail/CVE-2017-14505