The WPG parser in ImageMagick before 6.9.4-4 and 7.x before 7.0.1-5, when a memory limit is set, allows remote attackers to have unspecified impact via vectors related to the SetImageExtent return-value check, which trigger (1) a heap-based buffer overflow in the SetPixelIndex function or an invalid write operation in the (2) ScaleCharToQuantum or (3) SetPixelIndex functions.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| https://github.com/ImageMagick/ImageMagick/commits/7.0.1-5 | patch vendor advisory |
| https://github.com/ImageMagick/ImageMagick/commits/6.9.4-4 | patch vendor advisory |
| http://www.securityfocus.com/bid/91283 | vdb entry third party advisory |
| https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG%2C-DDS%2C-DCM.html | |
| http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html | third party advisory |
| https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f | patch vendor advisory |
| http://www.openwall.com/lists/oss-security/2016/06/17/3 | third party advisory mailing list |
| https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 | patch vendor advisory |
| http://www.openwall.com/lists/oss-security/2016/06/14/5 | third party advisory mailing list |