out-of-bounds read in MagickCore/property.c:1396 could lead to memory leak

This bug was found while fuzzing ImageMagick with afl-fuzz

command: magick identify PoC.jpg
The vulnerability could lead to information leakage because the pointer is used later to read data from the memory
MagickCore/property.c:1401 format=(size_t) ReadPropertyUnsignedShort(endian,q+2);
MagickCore/property.c:1404 components=(ssize_t) ReadPropertySignedLong(endian,q+4);

The code basically reads the number of entries inside directory object in an image
MagickCore/property.c:1382 number_entries=(size_t) ReadPropertyUnsignedShort(endian,directory);

By manipulating bytes at position 0x76 and 0x77 in the PoC image, we can control number_entries variable which is used to in the loop. By controlling number_entries we can partially control q
MagickCore/property.c:1396 q=(unsigned char *) (directory+(12*entry)+2);

In the previous line we control the value of "entry". As a result, we can partially control q which can be used later to read arbitrary data from the process of ImageMagick.

PoC image: https://www.ibrahim-elsayed.com/uploads/PoC_imagemagick_1.jpg

[backtrace]
storm@storm ~/f/f/f/crashes> gdb -q magick core.magick.14585
Reading symbols from magick...done.
[New LWP 14585]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `magick identify PoC.jpg'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f110bac6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007f110bac6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f110baca028 in __GI_abort () at abort.c:89
#2 0x0000000000421b5b in MagickSignalHandler (signal_number=6) at MagickCore/magick.c:1310
#3 <signal handler called>
#4 0x00007f110bac6c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#5 0x00007f110baca028 in __GI_abort () at abort.c:89
#6 0x0000000000421b5b in MagickSignalHandler (signal_number=11) at MagickCore/magick.c:1310
#7 <signal handler called>
#8 ReadPropertySignedLong (buffer=0x293c000 <error: Cannot access memory at address 0x293c000>,
    endian=LSBEndian) at MagickCore/property.c:745
#9 GetEXIFProperty (image=image@entry=0x291aff0, property=property@entry=0x7ffe5d180910 "exif:*",
    exception=exception@entry=0x28e7f10) at MagickCore/property.c:1404
#10 0x000000000043e4d8 in GetImageProperty (image=image@entry=0x291aff0,
    property=property@entry=0x7ffe5d180910 "exif:*", exception=exception@entry=0x28e7f10)
    at MagickCore/property.c:2197
#11 0x0000000000441d03 in SetImageProfileInternal (image=image@entry=0x291aff0,
    name=name@entry=0x7ffe5d181990 "exif", profile=profile@entry=0x28ffe30,
    recursive=recursive@entry=MagickFalse, exception=exception@entry=0x28e7f10) at MagickCore/profile.c:1671
#12 0x000000000044297a in SetImageProfile (image=image@entry=0x291aff0, name=name@entry=0x7ffe5d181990 "exif",
    profile=profile@entry=0x28ffe30, exception=exception@entry=0x28e7f10) at MagickCore/profile.c:1678
#13 0x000000000053c922 in ReadProfile (jpeg_info=<optimised out>) at coders/jpeg.c:738
#14 0x00007f1110464975 in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
#15 0x00007f11104629ca in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
#16 0x00007f111045cf57 in jpeg_consume_input () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
#17 0x00007f111045d223 in jpeg_read_header () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
#18 0x000000000053d669 in ReadJPEGImage (image_info=0x28fa130, exception=0x28e7f10) at coders/jpeg.c:1101
#19 0x00000000005a06ee in ReadImage (image_info=image_info@entry=0x28f4b90,
    exception=exception@entry=0x28e7f10) at MagickCore/constitute.c:554
#20 0x0000000000677326 in ReadStream (image_info=image_info@entry=0x28f1910,
    stream=stream@entry=0x59ffb0 <PingStream>, exception=exception@entry=0x28e7f10) at MagickCore/stream.c:1012
#21 0x00000000005a0261 in PingImage (image_info=image_info@entry=0x28ee4f0,
---Type <return> to continue, or q <return> to quit---
    exception=exception@entry=0x28e7f10) at MagickCore/constitute.c:226
#22 0x00000000005a04ab in PingImages (image_info=image_info@entry=0x28ee4f0,
    filename=filename@entry=0x28e7f50 "PoC.jpg", exception=exception@entry=0x28e7f10)
    at MagickCore/constitute.c:326
#23 0x00000000006f2741 in IdentifyImageCommand (image_info=0x28eb2c0, image_info@entry=0x28e8090,
    argc=argc@entry=2, argv=0x28e6490, argv@entry=0x7ffe5d18e4b0, metadata=metadata@entry=0x7ffe5d18c150,
    exception=exception@entry=0x28e7f10) at MagickWand/identify.c:319
#24 0x000000000071a274 in MagickCommandGenesis (image_info=image_info@entry=0x28e8090,
    command=command@entry=0x6f2180 <IdentifyImageCommand>, argc=2, argv=argv@entry=0x7ffe5d18e4b0,
    metadata=0x7ffe5d18d208, exception=exception@entry=0x28e7f10) at MagickWand/mogrify.c:183
#25 0x0000000000411f11 in MagickMain (argc=2, argv=0x7ffe5d18e4b0) at utilities/magick.c:250
#26 0x00007f110bab1f45 in __libc_start_main (main=0x40ec10 <main>, argc=3, argv=0x7ffe5d18e4a8,
    init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7ffe5d18e498)
    at libc-start.c:287
#27 0x0000000000411af5 in _start ()