Heap buffer overflow vulnerability while processing a malformed TIFF file.

A heap buffer overflow vulnerability occurs in magick while processing of a malformed TIFF file.Following is the version/build details: ``` $ magick -version Version: ImageMagick 7.0.10-45 Q16 x86_64 2020-11-30 https://imagemagick.org Copyright: © 1999-2020 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI OpenMP(4.5) Delegates (built-in): freetype jbig jng jpeg lcms lzma png raw tiff webp x zlib ``` Replication details: 1. run following command with attached poc.tif file: ``` magick poc.tif /dev/null ``` note: zip file password is infected. you should see the crash as mentioned below. Following is the crash details: ``` =21316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000004f8 at pc 0x5638f9a55850 bp 0x7fffc92d67b0 sp 0x7fffc92d67a0 READ of size 1 at 0x6110000004f8 thread T0 #0 0x5638f9a5584f in PushQuantumPixel MagickCore/quantum-import.c:256 #1 0x5638f9a5584f in ImportRGBQuantum MagickCore/quantum-import.c:4105 #2 0x5638f9b13e3d in ImportQuantumPixels MagickCore/quantum-import.c:4775 #3 0x5638f82186f4 in ReadTIFFImage coders/tiff.c:2025 #4 0x5638f8720e14 in ReadImage MagickCore/constitute.c:563 #5 0x5638f872e40c in ReadImages MagickCore/constitute.c:953 #6 0x5638fb49c996 in CLINoImageOperator MagickWand/operation.c:4853 #7 0x5638fb4aae31 in CLIOption MagickWand/operation.c:5350 #8 0x5638fae155ca in ProcessCommandOptions MagickWand/magick-cli.c:424 #9 0x5638fae1ec23 in MagickImageCommand MagickWand/magick-cli.c:796 #10 0x5638fae26a0e in MagickCommandGenesis MagickWand/mogrify.c:191 #11 0x5638f63ddab5 in MagickMain utilities/magick.c:149 #12 0x7f5d91238bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #13 0x5638f63da6e9 in _start (/usr/local/bin/magick+0x20f26e9) 0x6110000004f8 is located 0 bytes to the right of 248-byte region [0x611000000400,0x6110000004f8) allocated by thread T0 here: #0 0x7f5d94f5bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x5638f655c2a8 in AcquireQuantumMemory MagickCore/memory.c:649 SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantum-import.c:256 in PushQuantumPixel Shadow bytes around the buggy address: 0x0c227fff8040: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8070: 06 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa] 0x0c227fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21316==ABORTING ``` ## Impact can crash the software, may be remote code execution but i haven't checked the exploitability part of it.