ImageMagick Stack Buffer Overflow Vulnerability in `magick mogrify` Command

A stack buffer overflow vulnerability has been identified in ImageMagick versions prior to 7.1.2-0 and 6.9.13-26. The issue arises in the `magick mogrify` command when multiple consecutive `%d` format specifiers are used in a filename template. This causes internal pointer arithmetic to generate an address that underflows the beginning of the stack buffer, leading to a stack overflow via `vsnprintf()`. The vulnerability is caused by a design flaw in how format specifiers are processed, allowing for negative pointer arithmetic that writes outside the bounds of the buffer.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, which can lead to arbitrary code execution or a crash of the application.

Reproduction

The vulnerability can be reproduced by using ImageMagick 7.1.1-47 or 6.9.13-24. After building ImageMagick with AddressSanitizer enabled, the `magick mogrify` command can be executed with multiple consecutive `%d` format specifiers in the filename template. This triggers the buffer overflow, which can be verified by the AddressSanitizer error message indicating a stack-buffer-overflow.

Remediation

Users can upgrade to ImageMagick versions 7.1.2-0 or 6.9.13-26 to address this vulnerability.