ImageMagick Heap-Based Buffer Overflow Vulnerability in Log Colorspace Handling

A heap-buffer overflow vulnerability has been identified in ImageMagick versions prior to 7.1.2-1. The issue arises in the logmap construction process when converting from Log to sRGB colorspaces. Specifically, the vulnerability occurs if the reference-black or reference-white values exceed 1024, leading to memory corruption beyond the allocated logmap buffer. This vulnerability can be exploited by creating a MIFF file with a large reference-black value, which triggers the overflow when the file is processed.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a Python script to generate a minimal MIFF file that includes a log-colorspace with an excessively large reference-black value. This crafted MIFF file can then be processed with the ImageMagick command-line tool, which will trigger the buffer overflow. The AddressSanitizer will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users should upgrade to ImageMagick version 7.1.2-1 or later, where this vulnerability has been patched.