Null Pointer Dereference in sixel_decode #720

jgj212 · 2017-09-03T15:03:51Z

ImageMagick 7.0.7-0 Q16 x86_64

Here is the critical code:

    *palette = (unsigned char *) AcquireQuantumMemory(*ncolors,4);   //line 535
    for (n = 0; n < (ssize_t) *ncolors; ++n) {
        (*palette)[n * 4 + 0] = sixel_palet[n] >> 16 & 0xff;
        (*palette)[n * 4 + 1] = sixel_palet[n] >> 8 & 0xff;
        (*palette)[n * 4 + 2] = sixel_palet[n] & 0xff;
        (*palette)[n * 4 + 3] = 0xff;
    }

AcquireQuantumMemory(...) may return NULL, so (*palette)[n * 4 + 0] will Dereference Null pointer to cause memory error.

Credit: ADLab of Venustech

The text was updated successfully, but these errors were encountered:

mikayla-grace · 2017-09-03T15:41:06Z

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

nohmask · 2017-09-21T07:56:01Z

This was assigned CVE-2017-14626.

urban-warrior pushed a commit that referenced this issue Sep 3, 2017

https://github.com/ImageMagick/ImageMagick/issues/720

a3375df

urban-warrior pushed a commit that referenced this issue Sep 3, 2017

https://github.com/ImageMagick/ImageMagick/issues/720

90b301d

dlemstra added the bug label Sep 3, 2017

dlemstra closed this as completed Sep 3, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Null Pointer Dereference in sixel_decode #720

Null Pointer Dereference in sixel_decode #720

jgj212 commented Sep 3, 2017

mikayla-grace commented Sep 3, 2017

nohmask commented Sep 21, 2017

Null Pointer Dereference in sixel_decode #720

Null Pointer Dereference in sixel_decode #720

Comments

jgj212 commented Sep 3, 2017

mikayla-grace commented Sep 3, 2017

nohmask commented Sep 21, 2017