Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential memory leak in function ReadOneJNGImage in coders/png.c #1201

Closed
Young-X opened this issue Jul 6, 2018 · 2 comments
Closed

Potential memory leak in function ReadOneJNGImage in coders/png.c #1201

Young-X opened this issue Jul 6, 2018 · 2 comments
Labels

Comments

@Young-X
Copy link

Young-X commented Jul 6, 2018

Prerequisites

  • [ Y ] I have written a descriptive issue title
  • [ Y ] I have verified that I am using the latest version of ImageMagick
  • [ Y ] I have searched open and closed issues to ensure it has not already been reported

Description

There is a potential memory leak vulnerability in ReadOneJNGImage function in coders/png.c. (https://github.com/ImageMagick/ImageMagick/blob/master/coders/png.c#L4563)

As we can see, when chunk equals to NULL (Line 16), the program should call DestroyJNG function firstly. Otherwise, there would be a memory leak vulnerability. Line 3 ~ Line 6 and Line 45 ~ Line 49 are the correct way to handle this condition.


1.     if (length > GetBlobSize(image))
2.       {
3.         DestroyJNG(NULL,&color_image,&color_image_info,
4.           &alpha_image,&alpha_image_info);
5.         ThrowReaderException(CorruptImageError,
6.           "InsufficientImageDataInFile");
7.       }
8. 
9.     p=NULL;
10.     chunk=(unsigned char *) NULL;
11. 
12.     if (length != 0)
13.       {
14.         chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk));
15. 
16.         if (chunk == (unsigned char *) NULL)
17.           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
18. 
19.         for (i=0; i < (ssize_t) length; i++)
20.         {
21.           int
22.             c;
23. 
24.           c=ReadBlobByte(image);
25.           if (c == EOF)
26.             break;
27.           chunk[i]=(unsigned char) c;
28.         }
29.         for ( ; i < (ssize_t) length; i++)
30.           chunk[i]='\0';
31. 
32.         p=chunk;
33.       }
34. 
35.     (void) ReadBlobMSBLong(image);  /* read crc word */
36. 
37.     if (memcmp(type,mng_JHDR,4) == 0)
38.       {
39.         if (length == 16)
40.           {
41.             jng_width=(png_uint_32)mng_get_long(p);
42.             jng_height=(png_uint_32)mng_get_long(&p[4]);
43.             if ((jng_width == 0) || (jng_height == 0))
44.             {
45.               DestroyJNG(chunk,&color_image,&color_image_info,
46.                 &alpha_image,&alpha_image_info);
47. 
48.               ThrowReaderException(CorruptImageError,
49.                 "NegativeOrZeroImageSize");
50.             }

  • ImageMagick version: current version (Git version)
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jul 7, 2018
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jul 7, 2018
@dlemstra dlemstra closed this as completed Jul 7, 2018
@nohmask
Copy link

nohmask commented Sep 7, 2018

This was assigned CVE-2018-16640.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants