Headline
CVE-2020-27764: https://github.com/ImageMagick/ImageMagick/issues/1735 · ImageMagick/ImageMagick6@3e21bc8
In /MagickCore/statistic.c, there are several areas in ApplyEvaluateOperator() where a size_t cast should have been a ssize_t cast, which causes out-of-range values under some circumstances when a crafted input file is processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 6.9.10-69.
@@ -259,7 +259,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
}
case AndEvaluateOperator:
{
result=(MagickRealType) ((size_t) pixel & (size_t) (value+0.5));
result=(MagickRealType) ((ssize_t) pixel & (ssize_t) (value+0.5));
break;
}
case CosineEvaluateOperator:
@@ -299,7 +299,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
}
case LeftShiftEvaluateOperator:
{
result=(MagickRealType) ((size_t) pixel << (size_t) (value+0.5));
result=(MagickRealType) ((ssize_t) pixel << (ssize_t) (value+0.5));
break;
}
case LogEvaluateOperator:
@@ -342,7 +342,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
}
case OrEvaluateOperator:
{
result=(MagickRealType) ((size_t) pixel | (size_t) (value+0.5));
result=(MagickRealType) ((ssize_t) pixel | (ssize_t) (value+0.5));
break;
}
case PoissonNoiseEvaluateOperator:
@@ -359,7 +359,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
}
case RightShiftEvaluateOperator:
{
result=(MagickRealType) ((size_t) pixel >> (size_t) (value+0.5));
result=(MagickRealType) ((ssize_t) pixel >> (ssize_t) (value+0.5));
break;
}
case RootMeanSquareEvaluateOperator:
@@ -413,7 +413,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
}
case XorEvaluateOperator:
{
result=(MagickRealType) ((size_t) pixel ^ (size_t) (value+0.5));
result=(MagickRealType) ((ssize_t) pixel ^ (ssize_t) (value+0.5));
break;
}
}
Related news
Ubuntu Security Notice 7068-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into processing a specially crafted file, an attacker could exploit this to cause a denial of service or affect the reliability of the system. The vulnerabilities included memory leaks, buffer overflows, and improper handling of pixel data.