You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"summary": "ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family",
10
+
"details": "We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when `Options::fontFamily` is invoked with an empty string.\n\n**Vulnerability Details**\n- Clearing a font family calls `RelinquishMagickMemory` on `_drawInfo->font`, freeing the font string but leaving `_drawInfo->font` pointing to freed memory while `_drawInfo->family` is set to that (now-invalid) pointer. Any later cleanup or reuse of `_drawInfo->font` re-frees or dereferences dangling memory.\n- `DestroyDrawInfo` and other setters (`Options::font`, `Image::font`) assume `_drawInfo->font` remains valid, so destruction or subsequent updates trigger crashes or heap corruption.\n\n```cpp\nif (family_.length() == 0)\n {\n _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);\n DestroyString(RemoveImageOption(imageInfo(),\"family\"));\n }\n```\n\n- **CWE-416 (Use After Free):** `_drawInfo->font` is left dangling yet still reachable through the Options object.\n- **CWE-415 (Double Free):** DrawInfo teardown frees `_drawInfo->font` again, provoking allocator aborts.\n\n**Affected Versions**\n- Introduced by commit `6409f34d637a34a1c643632aa849371ec8b3b5a8` (“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313).\n- Present in all releases that include that commit, at least ImageMagick 7.0.1-0 and later (likely late 6.9 builds with Magick++ font family support as well). Older releases without `fontFamily` are unaffected.\n\n**Command Line Triggerability**\nThis vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the `Options::fontFamily()` method. The command-line utilities (such as `convert`, `magick`, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly call `Options::fontFamily()` with an empty string in a way that would trigger the use-after-free condition.\n\n**Proposed Fix**\n```diff\ndiff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp\n@@ void Magick::Options::fontFamily(const std::string &family_)\n- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);\n+ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);\n```\nThis frees only the actual family string, leaving `_drawInfo->font` untouched. Optionally nulling `_drawInfo->font` when clearing `font()` itself maintains allocator hygiene.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments