ImageMagick Undefined Behavior Vulnerability in Splay Tree Cloning Callback

A vulnerability exists in ImageMagick versions prior to 6.9.13-27 and 7.1.2-1, where undefined behavior arises from a function-type mismatch in the splay tree cloning callback. This flaw leads to a deterministic abort when the Undefined Behavior Sanitizer (UBSan) is enabled, causing a denial-of-service condition in sanitizer builds. However, in a non-sanitized build, the issue does not cause a crash. The vulnerability can be triggered by parsing a minimal 2-byte input through the MagickWand interface, followed by coalescing images.

Impact

Exploitation of this vulnerability under UBSan causes a runtime error due to a function-type mismatch, with the sanitizer aborting the process. In non-sanitized builds, the vulnerability does not cause a crash, but it still represents a low-security risk.

Reproduction

The vulnerability can be reproduced by compiling a C program with the AddressSanitizer and Undefined Behavior Sanitizer enabled, using the ImageMagick MagickWand library. The compiled program can then be run with a 2-byte payload that triggers the undefined behavior by coalescing images, which exercises the flawed splay tree cloning callback. This process can be automated using a libFuzzer harness.

Remediation

Users should update to ImageMagick versions 6.9.13-27 or 7.1.2-1, where this vulnerability has been patched.