ImageMagick Memory Corruption Vulnerability in MNG Image Processing

A vulnerability in ImageMagick's handling of MNG images can lead to memory corruption. This issue exists in versions prior to 6.9.13-27 and 7.1.2-1. The vulnerability arises in the 'ReadOneMNGImage' function within 'coders/png.c', where unsafe magnification size calculations can overflow. Exploiting this flaw requires an MNG file with specific characteristics, particularly large dimensions, which should be prevented by standard security policies.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, allowing for out-of-bounds writes that can be controlled by the attacker. This type of memory corruption is commonly associated with the potential for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating an MNG file that includes a 'MAGN' chunk with carefully crafted values to trigger the overflow. This can be done using a Python script that generates the MNG file with the necessary dimensions and magnification data. Once the MNG file is created, it can be processed with ImageMagick's command-line tool, which will trigger the vulnerability and result in a heap-buffer-overflow error.

Remediation

Users should update to ImageMagick versions 6.9.13-27 or 7.1.2-1, where this vulnerability has been patched.