Headline
CVE-2021-20224: outside the range of representable values of type 'unsigned char' (#3… · ImageMagick/ImageMagick@5af1dff
An integer overflow issue was discovered in ImageMagick’s ExportIndexQuantum() function in MagickCore/quantum-export.c. Function calls to GetPixelIndex() could result in values outside the range of representable for the 'unsigned char’. When ImageMagick processes a crafted pdf file, this could lead to an undefined behaviour or a crash.
@@ -2530,28 +2530,28 @@ static void ExportIndexQuantum(const Image *image,QuantumInfo *quantum_info,
for (x=((ssize_t) number_pixels-7); x > 0; x-=8) { pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q=((pixel & 0x01) << 7); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 6); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 5); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 4); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 3); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 2); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 1); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << 0); p+=GetPixelChannels(image); q++; @@ -2561,7 +2561,7 @@ static void ExportIndexQuantum(const Image *image,QuantumInfo *quantum_info, *q=’\0’; for (bit=7; bit >= (ssize_t) (8-(number_pixels % 8)); bit–) { pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0x01) << (unsigned char) bit); p+=GetPixelChannels(image); } @@ -2576,17 +2576,17 @@ static void ExportIndexQuantum(const Image *image,QuantumInfo *quantum_info,
for (x=0; x < (ssize_t) (number_pixels-1) ; x+=2) { pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q=((pixel & 0xf) << 4); p+=GetPixelChannels(image); pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q|=((pixel & 0xf) << 0); p+=GetPixelChannels(image); q++; } if ((number_pixels % 2) != 0) { pixel=(unsigned char) GetPixelIndex(image,p); pixel=(unsigned char) ((ssize_t) GetPixelIndex(image,p)); *q=((pixel & 0xf) << 4); p+=GetPixelChannels(image); q++; @@ -2597,7 +2597,7 @@ static void ExportIndexQuantum(const Image *image,QuantumInfo *quantum_info, { for (x=0; x < (ssize_t) number_pixels; x++) { q=PopCharPixel((unsigned char) GetPixelIndex(image,p),q); q=PopCharPixel((unsigned char) ((ssize_t) GetPixelIndex(image,p)),q); p+=GetPixelChannels(image); q+=quantum_info->pad; }
Related news
Ubuntu Security Notice 6200-2 - USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the problem.
Gentoo Linux Security Advisory 202405-2 - Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. Versions greater than or equal to 6.9.13.0 are affected.
Ubuntu Security Notice 6200-1 - It was discovered that ImageMagick incorrectly handled the "-authenticate" option for password-protected PDF files. An attacker could possibly use this issue to inject additional shell commands and perform arbitrary code execution. This issue only affected Ubuntu 20.04 LTS. It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
Ubuntu Security Notice 5736-1 - It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 22.10.