Closed
Description
Prerequisites
- [ Y ] I have written a descriptive issue title
- [ Y ] I have verified that I am using the latest version of ImageMagick
- [ Y ] I have searched open and closed issues to ensure it has not already been reported
Description
There is a potential memory leak vulnerability in ReadOneJNGImage function in coders/png.c. (https://github.com/ImageMagick/ImageMagick/blob/master/coders/png.c#L4563)
As we can see, when chunk equals to NULL (Line 16), the program should call DestroyJNG function firstly. Otherwise, there would be a memory leak vulnerability. Line 3 ~ Line 6 and Line 45 ~ Line 49 are the correct way to handle this condition.
1. if (length > GetBlobSize(image))
2. {
3. DestroyJNG(NULL,&color_image,&color_image_info,
4. &alpha_image,&alpha_image_info);
5. ThrowReaderException(CorruptImageError,
6. "InsufficientImageDataInFile");
7. }
8.
9. p=NULL;
10. chunk=(unsigned char *) NULL;
11.
12. if (length != 0)
13. {
14. chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk));
15.
16. if (chunk == (unsigned char *) NULL)
17. ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
18.
19. for (i=0; i < (ssize_t) length; i++)
20. {
21. int
22. c;
23.
24. c=ReadBlobByte(image);
25. if (c == EOF)
26. break;
27. chunk[i]=(unsigned char) c;
28. }
29. for ( ; i < (ssize_t) length; i++)
30. chunk[i]='\0';
31.
32. p=chunk;
33. }
34.
35. (void) ReadBlobMSBLong(image); /* read crc word */
36.
37. if (memcmp(type,mng_JHDR,4) == 0)
38. {
39. if (length == 16)
40. {
41. jng_width=(png_uint_32)mng_get_long(p);
42. jng_height=(png_uint_32)mng_get_long(&p[4]);
43. if ((jng_width == 0) || (jng_height == 0))
44. {
45. DestroyJNG(chunk,&color_image,&color_image_info,
46. &alpha_image,&alpha_image_info);
47.
48. ThrowReaderException(CorruptImageError,
49. "NegativeOrZeroImageSize");
50. }
- ImageMagick version: current version (Git version)