ImageMagick BMP Encoder Heap Buffer Overflow Vulnerability in 32-bit Builds

A heap buffer overflow vulnerability has been identified in ImageMagick's BMP encoder, specifically in 32-bit builds prior to versions 6.9.13-28 and 7.1.2-2. The issue arises from a 32-bit integer overflow in the scanline-stride computation for 24-bits per pixel images. This overflow causes the 'bytes_per_line' (stride) to collapse to a very small value, while the encoder still writes 3 times the image width in bytes. As a result, the first row of the image overwrites its allocated space and encroaches into adjacent heap memory, using bytes controlled by the attacker. This vulnerability creates a classic heap corruption scenario, particularly in automated image processing pipelines that convert or generate thumbnails.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for out-of-bounds writes into heap memory. Such heap overflows can often be manipulated to execute arbitrary code, especially on 32-bit systems where memory management is less robust.

Reproduction

The vulnerability can be reproduced by crafting a BMP image with a width that exceeds 178,956,969 pixels, which triggers the integer overflow in the stride calculation. This can be done using a simple Python script that generates a PPM file with the necessary dimensions, which can then be converted to BMP using the ImageMagick 'magick' command. The conversion process will overwrite memory beyond the allocated buffer, demonstrating the heap buffer overflow.

Remediation

Users should update to ImageMagick versions 6.9.13-28 or 7.1.2-2. For those using the C/C++ library, ensure that the version is 7.1.2-2 or later.