We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string.
Vulnerability Details
- Clearing a font family calls
RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory.
DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption.
if (family_.length() == 0)
{
_drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
DestroyString(RemoveImageOption(imageInfo(),"family"));
}
- CWE-416 (Use After Free):
_drawInfo->font is left dangling yet still reachable through the Options object.
- CWE-415 (Double Free): DrawInfo teardown frees
_drawInfo->font again, provoking allocator aborts.
Affected Versions
- Introduced by commit
6409f34d637a34a1c643632aa849371ec8b3b5a8 (“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313).
- Present in all releases that include that commit, at least ImageMagick 7.0.1-0 and later (likely late 6.9 builds with Magick++ font family support as well). Older releases without
fontFamily are unaffected.
Command Line Triggerability
This vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the Options::fontFamily() method. The command-line utilities (such as convert, magick, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly call Options::fontFamily() with an empty string in a way that would trigger the use-after-free condition.
Proposed Fix
diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp
@@ void Magick::Options::fontFamily(const std::string &family_)
- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
+ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);
This frees only the actual family string, leaving _drawInfo->font untouched. Optionally nulling _drawInfo->font when clearing font() itself maintains allocator hygiene.
References
LuiginoC Reporter
We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when
Options::fontFamilyis invoked with an empty string.Vulnerability Details
RelinquishMagickMemoryon_drawInfo->font, freeing the font string but leaving_drawInfo->fontpointing to freed memory while_drawInfo->familyis set to that (now-invalid) pointer. Any later cleanup or reuse of_drawInfo->fontre-frees or dereferences dangling memory.DestroyDrawInfoand other setters (Options::font,Image::font) assume_drawInfo->fontremains valid, so destruction or subsequent updates trigger crashes or heap corruption._drawInfo->fontis left dangling yet still reachable through the Options object._drawInfo->fontagain, provoking allocator aborts.Affected Versions
6409f34d637a34a1c643632aa849371ec8b3b5a8(“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313).fontFamilyare unaffected.Command Line Triggerability
This vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the
Options::fontFamily()method. The command-line utilities (such asconvert,magick, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly callOptions::fontFamily()with an empty string in a way that would trigger the use-after-free condition.Proposed Fix
This frees only the actual family string, leaving
_drawInfo->fontuntouched. Optionally nulling_drawInfo->fontwhen clearingfont()itself maintains allocator hygiene.References