Damian Put <pucik <at> overflow.pl> writes: > Vendor: ImageMagick (http://www.imagemagick.org) > Affected version: 6.x up to and including 6.2.8 > Vendor status: Fixed version released (6.2.9) There are some whitespace changes between 6.2.8 and 6.2.9 as well as a fix for what looks like a different vulnerability (affecting run-length encoded images only, but from what I can tell, 6.2.9 still suffers from the flaw you described below. Can you please clarify why you claim 6.2.9 to be fixed? > A heap overflow exists in ReadSGIImage() function, that is used to > decode a SGI image file. The vulnerable code is: > > coders/sgi.c: > > static Image *ReadSGIImage(const ImageInfo *image_info, > ExceptionInfo *exception) > { > ... > iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image); > ... > image->columns=iris_info.columns; > image->rows=iris_info.rows; > ... > bytes_per_pixel=(size_t) iris_info.bytes_per_pixel; > number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows; > ... > iris_pixels=(unsigned char *)AcquireMagickMemory > (4*bytes_per_pixel*iris_info.columns*iris_info.rows); > > We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel > value. Allocation of memory to "iris_pixels" is based on this values. > When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc not > enough memory for next operations, and cause heap overflow. Regards, Daniel.
