memory leaks in ReadOneMNGImage

[henices]

/usr/local/bin/magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-19 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib

Trigger Command: magick convert memory-leaks-wYQ0gKxwmALb50pqSNuH0mMtB2nGc6DL.mng /dev/null

convert: cache resources exhausted `memory-leaks-wYQ0gKxwmALb50pqSNuH0mMtB2nGc6DL.mng' @ error/cache.c/OpenPixelCache/3655.

=================================================================
==22719==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x7f3410196850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7f340f56e8dd in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f340f325258 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x7f340f325381 in AcquirePixelCache MagickCore/cache.c:192
    #4 0x7f340f326219 in ClonePixelCache MagickCore/cache.c:411
    #5 0x7f340f32b77f in GetImagePixelCache MagickCore/cache.c:1632
    #6 0x7f340f33b5e6 in SyncImagePixelCache MagickCore/cache.c:5260
    #7 0x7f340f365a88 in SetImageColorspace MagickCore/colorspace.c:1182
    #8 0x7f340f3859d4 in CompositeImage MagickCore/composite.c:595
    #9 0x7f340f54759a in CoalesceImages MagickCore/layer.c:280
    #10 0x7f340fa1eab1 in ReadOneMNGImage coders/png.c:7583
    #11 0x7f340fa1f83c in ReadMNGImage coders/png.c:7694
    #12 0x7f340f39b48b in ReadImage MagickCore/constitute.c:497
    #13 0x7f340f39e354 in ReadImages MagickCore/constitute.c:866
    #14 0x7f340eb529bf in ConvertImageCommand MagickWand/convert.c:641
    #15 0x7f340eccd25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #16 0x401b16 in MagickMain utilities/magick.c:149
    #17 0x401d80 in main utilities/magick.c:180
    #18 0x7f34088b5039 in __libc_start_main (/lib64/libc.so.6+0x21039)

Indirect leak of 704 byte(s) in 1 object(s) allocated from:
    #0 0x7f3410196850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7f340f56e8dd in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f340f56e931 in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7f340f325ae7 in AcquirePixelCacheNexus MagickCore/cache.c:263
    #4 0x7f340f32569e in AcquirePixelCache MagickCore/cache.c:206
    #5 0x7f340f326219 in ClonePixelCache MagickCore/cache.c:411
    #6 0x7f340f32b77f in GetImagePixelCache MagickCore/cache.c:1632
    #7 0x7f340f33b5e6 in SyncImagePixelCache MagickCore/cache.c:5260
    #8 0x7f340f365a88 in SetImageColorspace MagickCore/colorspace.c:1182
    #9 0x7f340f3859d4 in CompositeImage MagickCore/composite.c:595
    #10 0x7f340f54759a in CoalesceImages MagickCore/layer.c:280
    #11 0x7f340fa1eab1 in ReadOneMNGImage coders/png.c:7583
    #12 0x7f340fa1f83c in ReadMNGImage coders/png.c:7694
    #13 0x7f340f39b48b in ReadImage MagickCore/constitute.c:497
    #14 0x7f340f39e354 in ReadImages MagickCore/constitute.c:866
    #15 0x7f340eb529bf in ConvertImageCommand MagickWand/convert.c:641
    #16 0x7f340eccd25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #17 0x401b16 in MagickMain utilities/magick.c:149
    #18 0x401d80 in main utilities/magick.c:180
    #19 0x7f34088b5039 in __libc_start_main (/lib64/libc.so.6+0x21039)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f34101974a0 in posix_memalign (/lib64/libasan.so.4+0xdf4a0)
    #1 0x7f340f66926e in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7f340f669358 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7f340f325917 in AcquirePixelCache MagickCore/cache.c:223
    #4 0x7f340f326219 in ClonePixelCache MagickCore/cache.c:411
    #5 0x7f340f32b77f in GetImagePixelCache MagickCore/cache.c:1632
    #6 0x7f340f33b5e6 in SyncImagePixelCache MagickCore/cache.c:5260
    #7 0x7f340f365a88 in SetImageColorspace MagickCore/colorspace.c:1182
    #8 0x7f340f3859d4 in CompositeImage MagickCore/composite.c:595
    #9 0x7f340f54759a in CoalesceImages MagickCore/layer.c:280
    #10 0x7f340fa1eab1 in ReadOneMNGImage coders/png.c:7583
    #11 0x7f340fa1f83c in ReadMNGImage coders/png.c:7694
    #12 0x7f340f39b48b in ReadImage MagickCore/constitute.c:497
    #13 0x7f340f39e354 in ReadImages MagickCore/constitute.c:866
    #14 0x7f340eb529bf in ConvertImageCommand MagickWand/convert.c:641
    #15 0x7f340eccd25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #16 0x401b16 in MagickMain utilities/magick.c:149
    #17 0x401d80 in main utilities/magick.c:180
    #18 0x7f34088b5039 in __libc_start_main (/lib64/libc.so.6+0x21039)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f34101974a0 in posix_memalign (/lib64/libasan.so.4+0xdf4a0)
    #1 0x7f340f66926e in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7f340f669358 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7f340f3258a7 in AcquirePixelCache MagickCore/cache.c:221
    #4 0x7f340f326219 in ClonePixelCache MagickCore/cache.c:411
    #5 0x7f340f32b77f in GetImagePixelCache MagickCore/cache.c:1632
    #6 0x7f340f33b5e6 in SyncImagePixelCache MagickCore/cache.c:5260
    #7 0x7f340f365a88 in SetImageColorspace MagickCore/colorspace.c:1182
    #8 0x7f340f3859d4 in CompositeImage MagickCore/composite.c:595
    #9 0x7f340f54759a in CoalesceImages MagickCore/layer.c:280
    #10 0x7f340fa1eab1 in ReadOneMNGImage coders/png.c:7583
    #11 0x7f340fa1f83c in ReadMNGImage coders/png.c:7694
    #12 0x7f340f39b48b in ReadImage MagickCore/constitute.c:497
    #13 0x7f340f39e354 in ReadImages MagickCore/constitute.c:866
    #14 0x7f340eb529bf in ConvertImageCommand MagickWand/convert.c:641
    #15 0x7f340eccd25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #16 0x401b16 in MagickMain utilities/magick.c:149
    #17 0x401d80 in main utilities/magick.c:180
    #18 0x7f34088b5039 in __libc_start_main (/lib64/libc.so.6+0x21039)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f34101974a0 in posix_memalign (/lib64/libasan.so.4+0xdf4a0)
    #1 0x7f340f56e7dd in AcquireAlignedMemory MagickCore/memory.c:262
    #2 0x7f340f3259f6 in AcquirePixelCacheNexus MagickCore/cache.c:259
    #3 0x7f340f32569e in AcquirePixelCache MagickCore/cache.c:206
    #4 0x7f340f326219 in ClonePixelCache MagickCore/cache.c:411
    #5 0x7f340f32b77f in GetImagePixelCache MagickCore/cache.c:1632
    #6 0x7f340f33b5e6 in SyncImagePixelCache MagickCore/cache.c:5260
    #7 0x7f340f365a88 in SetImageColorspace MagickCore/colorspace.c:1182
    #8 0x7f340f3859d4 in CompositeImage MagickCore/composite.c:595
    #9 0x7f340f54759a in CoalesceImages MagickCore/layer.c:280
    #10 0x7f340fa1eab1 in ReadOneMNGImage coders/png.c:7583
    #11 0x7f340fa1f83c in ReadMNGImage coders/png.c:7694
    #12 0x7f340f39b48b in ReadImage MagickCore/constitute.c:497
    #13 0x7f340f39e354 in ReadImages MagickCore/constitute.c:866
    #14 0x7f340eb529bf in ConvertImageCommand MagickWand/convert.c:641
    #15 0x7f340eccd25c in MagickCommandGenesis MagickWand/mogrify.c:183
    #16 0x401b16 in MagickMain utilities/magick.c:149
    #17 0x401d80 in main utilities/magick.c:180
    #18 0x7f34088b5039 in __libc_start_main (/lib64/libc.so.6+0x21039)

SUMMARY: AddressSanitizer: 9992 byte(s) leaked in 5 allocation(s).

testcase

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2017-17887.