oss-sec mailing list archives

Imagemagick heap overflow

From: Bastien ROUCARIES <roucaries.bastien () gmail com>
Date: Sun, 13 Nov 2016 12:25:15 +0100

Hi,

Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b
suffer from a heap overflow in WaveletDenoiseImage(). This problem is
easelly trigerrable  from a perl script.

For more details see:
https://github.com/ImageMagick/ImageMagick/issues/296

The problem is solved by this simple patch:
@@ -5866,7 +5866,7 @@ MagickExport Image *WaveletDenoiseImage(const
Image *image,
     ThrowImageException(ResourceLimitError,"MemoryAllocationFailed");
   pixels_info=AcquireVirtualMemory(3*image->columns,image->rows*
     sizeof(*pixels));
-  kernel=(float *) AcquireQuantumMemory(MagickMax(image->rows,image->columns),
+  kernel=(float *)
AcquireQuantumMemory(MagickMax(image->rows,image->columns)+1,
     GetOpenMPMaximumThreads()*sizeof(*kernel));
   if ((pixels_info == (MemoryInfo *) NULL) || (kernel == (float *) NULL))
     {

Current thread:

Imagemagick heap overflow Bastien ROUCARIES (Nov 13)
- Re: Imagemagick heap overflow cve-assign (Nov 14)