Source: src:imagemagick Version: 8:6.9.7.4+dfsg-11 Severity: important Tags: security upstream X-Debbugs-CC: t...@security.debian.org control: found -1 8:6.8.9.9-5+deb8u8 control: found -1 8:6.8.9.9-5+deb8u9 control: found -1 8:6.7.7.10-5+deb7u14 control: found -1 8:6.7.7.10-5+deb7u4 forwarded: https://github.com/ImageMagick/ImageMagick/issues/555
When identify WMF file , a crafted file revealed a use-after-free vulnerability. A piece of memory was allocated in in function wmf_malloc.(api.c) mem = malloc (size); //482 Free:(api.c, in function wmf_lite_destory ) free (MM->list[MM->count]); //336 Use after free: (wmf.c, in function ReadWMFImage) if (ddata->draw_info != (DrawInfo *) NULL) //2682 testcase: https://github.com/bestshow/p0cs/blob/master/use-after-free-in-ReadWMFImage Fixed by: https://github.com/ImageMagick/ImageMagick/commit/784fcac688161aeaea221e00b706c88b08196945