ImageMagick BlobStream Forward-Seek Under-Allocation Vulnerability Leading to Heap Out-of-Bounds Write

A heap out-of-bounds write vulnerability has been identified in ImageMagick versions prior to 14.8.2. The issue arises within the Blob I/O component, specifically in the 'BlobStream' type. The vulnerability is caused by the 'SeekBlob()' function, which allows the stream offset to be advanced beyond the current end without increasing the blob's capacity. Consequently, the 'WriteBlob()' function expands the blob's extent incorrectly, leading to a deterministic heap write on 64-bit builds. This vulnerability does not require integer wraparound, external delegates, or special policy settings to be exploited.

Impact

Exploitation of this vulnerability allows for memory corruption through a heap out-of-bounds write, with the potential for code execution.

Reproduction

The vulnerability can be reproduced by creating a memory-backed blob and writing a byte to initialize the blob's offset. After seeking to a position far beyond the blob's current extent without increasing its capacity, a subsequent write can be performed. This write will then target memory beyond the allocated buffer, causing a crash due to the memory corruption.

Remediation

Users should update to ImageMagick version 14.8.2 or later, where this vulnerability has been fixed.