CVE-2012-1610 assignment notification: ImageMagick insufficient patch for CVE-2012-0259

[Stefan Cornelius <scorneli () redhat com>]

Hi,

the original patch for CVE-2012-0259 turned out to be insufficient.

The problem is an integer overflow error in the "GetEXIFProperty()"
function (magick/property.c, around line 1288):

      number_bytes=(size_t) components*tag_bytes[format];

When processing EXIF directory entries with tags of e.g. format 5
(EXIF_FMT_URATIONAL) and a large components count, the calculation can
overflow and e.g. lead to "number_bytes" being 0. If that's the case,
subsequent checks can be bypassed, resulting in the loop in the
"EXIFMultipleFractions" macro to iterate through a large number of
"components". This leads to out-of-bound reads until eventually causing
a segmentation fault when trying to read beyond the limits of heap memory.

An updated patch is available via the ImageMagick forum [1].

CVE-2012-1610 has been assigned to this issue.

Note: The initial patch for this issue is still necessary to prevent
access of uninitialized/incorrect memory when e.g. processing specially
crafted EXIF tags with a component count of 0.

[1]
http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865

Kind regards,
-- 
Stefan Cornelius / Red Hat Security Response Team