| summary |
Withdrawn Advisory: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family
## Withdrawn Advisory
This advisory has been withdrawn because it does not affect the ImageMagick project's NuGet packages.
### Original Description
We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when `Options::fontFamily` is invoked with an empty string.
**Vulnerability Details**
- Clearing a font family calls `RelinquishMagickMemory` on `_drawInfo->font`, freeing the font string but leaving `_drawInfo->font` pointing to freed memory while `_drawInfo->family` is set to that (now-invalid) pointer. Any later cleanup or reuse of `_drawInfo->font` re-frees or dereferences dangling memory.
- `DestroyDrawInfo` and other setters (`Options::font`, `Image::font`) assume `_drawInfo->font` remains valid, so destruction or subsequent updates trigger crashes or heap corruption.
```cpp
if (family_.length() == 0)
{
_drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
DestroyString(RemoveImageOption(imageInfo(),"family"));
}
```
- **CWE-416 (Use After Free):** `_drawInfo->font` is left dangling yet still reachable through the Options object.
- **CWE-415 (Double Free):** DrawInfo teardown frees `_drawInfo->font` again, provoking allocator aborts.
**Affected Versions**
- Introduced by commit `6409f34d637a34a1c643632aa849371ec8b3b5a8` (“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313).
- Present in all releases that include that commit, at least ImageMagick 7.0.1-0 and later (likely late 6.9 builds with Magick++ font family support as well). Older releases without `fontFamily` are unaffected.
**Command Line Triggerability**
This vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the `Options::fontFamily()` method. The command-line utilities (such as `convert`, `magick`, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly call `Options::fontFamily()` with an empty string in a way that would trigger the use-after-free condition.
**Proposed Fix**
```diff
diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp
@@ void Magick::Options::fontFamily(const std::string &family_)
- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
+ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);
```
This frees only the actual family string, leaving `_drawInfo->font` untouched. Optionally nulling `_drawInfo->font` when clearing `font()` itself maintains allocator hygiene. |