An out-of-bounds memory access flaw was found in ImageMagick's JPEG decoder. A local attacker could potentially use this flaw to crash an application using ImageMagick to process a specially crafted JPEG image. The fix for this issue is available at: http://trac.imagemagick.org/changeset/16872 The reproducer (a specially crafted JPEG image) along with additional information on this flaw can be found at: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
Analysis ======== In the following code of ImageMagick in magic/property.c ssize_t offset; /* The directory entry contains an offset. */ 1. offset is being initialized depending on a function parameter which can be reached externally. 2. Overflow is prevented offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8)); if ((offset+number_bytes) < (size_t) offset) continue; /* prevent overflow */ 3. Condition for Underflow is missing, hence the value of the offset is not sanitized here for underflow. If value of offset is less than 0 then it can cause program to crash. if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset); }
Statement: Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in ImageMagick.