Skip to content

Potential memory leak in function ReadOneJNGImage in coders/png.c #1201

Closed
@YangY-Xiao

Description

@YangY-Xiao

Prerequisites

  • [ Y ] I have written a descriptive issue title
  • [ Y ] I have verified that I am using the latest version of ImageMagick
  • [ Y ] I have searched open and closed issues to ensure it has not already been reported

Description

There is a potential memory leak vulnerability in ReadOneJNGImage function in coders/png.c. (https://github.com/ImageMagick/ImageMagick/blob/master/coders/png.c#L4563)

As we can see, when chunk equals to NULL (Line 16), the program should call DestroyJNG function firstly. Otherwise, there would be a memory leak vulnerability. Line 3 ~ Line 6 and Line 45 ~ Line 49 are the correct way to handle this condition.


1.     if (length > GetBlobSize(image))
2.       {
3.         DestroyJNG(NULL,&color_image,&color_image_info,
4.           &alpha_image,&alpha_image_info);
5.         ThrowReaderException(CorruptImageError,
6.           "InsufficientImageDataInFile");
7.       }
8. 
9.     p=NULL;
10.     chunk=(unsigned char *) NULL;
11. 
12.     if (length != 0)
13.       {
14.         chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk));
15. 
16.         if (chunk == (unsigned char *) NULL)
17.           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
18. 
19.         for (i=0; i < (ssize_t) length; i++)
20.         {
21.           int
22.             c;
23. 
24.           c=ReadBlobByte(image);
25.           if (c == EOF)
26.             break;
27.           chunk[i]=(unsigned char) c;
28.         }
29.         for ( ; i < (ssize_t) length; i++)
30.           chunk[i]='\0';
31. 
32.         p=chunk;
33.       }
34. 
35.     (void) ReadBlobMSBLong(image);  /* read crc word */
36. 
37.     if (memcmp(type,mng_JHDR,4) == 0)
38.       {
39.         if (length == 16)
40.           {
41.             jng_width=(png_uint_32)mng_get_long(p);
42.             jng_height=(png_uint_32)mng_get_long(&p[4]);
43.             if ((jng_width == 0) || (jng_height == 0))
44.             {
45.               DestroyJNG(chunk,&color_image,&color_image_info,
46.                 &alpha_image,&alpha_image_info);
47. 
48.               ThrowReaderException(CorruptImageError,
49.                 "NegativeOrZeroImageSize");
50.             }

  • ImageMagick version: current version (Git version)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions