ImageMagick UIL and XPM Encoder Global Buffer Overflow Vulnerability via Negative Pixel Index

A global buffer overflow vulnerability allowing out-of-bounds read has been identified in the UIL and XPM image encoders of ImageMagick. This issue affects versions prior to 7.1.2-15 and 6.9.13-40. The vulnerability arises because the encoders do not properly validate pixel index values returned by 'GetPixelIndex()' before using them as array subscripts. In HDRI builds, the 'Quantum' type is floating-point, which can result in negative pixel index values. An attacker could exploit this by crafting an image with such negative values, triggering the buffer overflow during image conversion. This exploitation could lead to information disclosure or cause a crash of the processing application.

Impact

Exploitation of this vulnerability causes a global buffer overflow read, which can result in information disclosure or a crash of the affected process.

Reproduction

To reproduce this vulnerability, create an image that includes negative pixel index values. This can be done by manipulating the image data to ensure that the 'GetPixelIndex()' function returns negative values. Once the image is crafted, use ImageMagick to process the image with either the UIL or XPM encoder. The absence of pixel index validation will allow the negative values to be used as array subscripts, causing the buffer overflow.

Remediation

Users can upgrade to ImageMagick versions 7.1.2-15 or 6.9.13-40, both of which include the necessary patch to address this vulnerability.