Description

ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript

Summary

Stack overflow via infinite recursion in MSL (Magick Scripting Language) <write> command when writing to MSL format.

Version

ImageMagick 7.x (tested on current main branch)

Commit: HEAD

Requires: libxml2 support (for MSL parsing)

Steps to Reproduce

Method 1: Using ImageMagick directly

magick MSL:recursive.msl out.png

Method 2: Using OSS-Fuzz reproduce

python3 infra/helper.py build_fuzzers imagemagick
python3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl

Or run the fuzzer directly:

./msl_fuzzer recursive.msl

Expected Behavior

ImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.

Actual Behavior

Stack overflow causes process crash:

AddressSanitizer:DEADLYSIGNAL
==PID==ERROR: AddressSanitizer: stack-overflow
    #0 MSLStartElement /src/imagemagick/coders/msl.c:7045
    #1 xmlParseStartTag /src/libxml2/parser.c
    #2 xmlParseChunk /src/libxml2/parser.c:11273
    #3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405
    #4 WriteMSLImage /src/imagemagick/coders/msl.c:7867
    #5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346...
Show more

Root Cause Analysis

In coders/msl.c, the <write> command handler in MSLStartElement() (line ~7045) calls WriteImage(). When the output filename specifies MSL format (msl:filename), WriteMSLImage() is called, which parses the MSL file again via ProcessMSLScript().

If the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:

MSLStartElement() → WriteImage() → WriteMSLImage() → ProcessMSLScript()
    → xmlParseChunk() → MSLStartElement() → ... (infinite loop)

Impact

DoS: Guaranteed crash via stack exhaustion

Affected: Any application using ImageMagick to process user-supplied MSL files

Additional Trigger Paths

The <read> command can also trigger recursion:

Indirect recursion is also possible (a.msl → b.msl → a.msl).

Fuzzer

This issue was discovered using a custom MSL fuzzer:

#include <cstdint>
#include <Magick++/Blob.h>
#include <Magick++/Image.h>
#include "utils.cc"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
  if (IsInvalidSize(Size))...
Show more

This issue was found by Team FuzzingBrain @ Texas A&M University

Mitigation

Aliases

References