Closed
Description
Hi all,
ImageMagick-7.0.6-5, still exist in latest development branch
AcquireRandomInfoThreadSet might return NULL if AcquireMagickMemory fails, then it will cause Null Pointer Deference and Denial of Service.
MagickExport Image *SketchImage(const Image *image,const double radius,
const double sigma,const double angle,ExceptionInfo *exception)
{
.......................
status=MagickTrue;
random_info=AcquireRandomInfoThreadSet(); // Might return NULL if allocating memory failed
random_view=AcquireAuthenticCacheView(random_image,exception);
#if defined(MAGICKCORE_OPENMP_SUPPORT)
key=GetRandomSecretKey(random_info[0]); // one of the Dereference of variable `random_info`
#pragma omp parallel for schedule(static,4) shared(status) \
magick_threads(random_image,random_image,random_image->rows,key == ~0UL)
#endif
for (y=0; y < (ssize_t) random_image->rows; y++)
Similar suspicious code pieces might also share the same issue:
ImageMagick/MagickCore/effect.c
Line 3800 in 590d5f3
ImageMagick/MagickCore/threshold.c
Line 2075 in 3c296d6
ImageMagick/MagickCore/statistic.c
Line 506 in 4e46ad9
Regards,
Alex, SourceBrella Inc.