Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory leak in WritePSDChannel in coders/psd.c #1451

Closed
3 tasks done
twelveand0 opened this issue Jan 17, 2019 · 2 comments
Closed
3 tasks done

memory leak in WritePSDChannel in coders/psd.c #1451

twelveand0 opened this issue Jan 17, 2019 · 2 comments
Labels
bug
Milestone
7.0.8-25

Comments

@twelveand0
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

memory leak in WritePSDChannel in coders/psd.c

Steps to Reproduce

The critical code snippet is:
https://github.com/ImageMagick/ImageMagick/blob/master/coders/psd.c#L2767

#ifdef MAGICKCORE_ZLIB_DELEGATE
  if (compression == ZipCompression)
    {
      compressed_pixels=(unsigned char *) AcquireQuantumMemory(CHUNK,   //line 2770
        sizeof(*compressed_pixels));
      if (compressed_pixels == (unsigned char *) NULL)
        {
          quantum_info=DestroyQuantumInfo(quantum_info);
          return(0);
        }
      memset(&stream,0,sizeof(stream));
      stream.data_type=Z_BINARY;
      level=Z_DEFAULT_COMPRESSION;
      if ((image_info->quality > 0 && image_info->quality < 10))
        level=(int) image_info->quality;
      if (deflateInit(&stream,level) != Z_OK)         //line 2782
        {
          quantum_info=DestroyQuantumInfo(quantum_info);
          return(0);                           //line 2785
        }
    }

compressed_pixels is allocated at line 2770, however, when the condition at line 2782 is satisfied and the function returns at line 2785, compressed_pixels (size is 16KB) is not freed and memory leak happens. In addition, the value of compressed_pixels is not passed outside to its caller function when returned at line 2785.

So the condition that this memory leak happens is that MAGICKCORE_ZLIB_DELEGATE is defined, compression type is ZipCompression and deflateInit(&stream,level) is not Z_OK. The size of leaked memory is 16KB.

Patch suggestion:

if (deflateInit(&stream,level) != Z_OK)  //line 2782
        {
          quantum_info=DestroyQuantumInfo(quantum_info);
+         compressed_pixels=(unsigned char *) RelinquishMagickMemory(
+            compressed_pixels);
          return(0);
        }
    }

System Configuration

  • ImageMagick version: ImageMagick-4f0ea40e2a090e245f31d1f05247520d6e7eb4ca
  • Environment (Operating system, version and so on): Ubuntu 16.04
  • Additional information:

Credit to Bingchang Liu at VARAS of IIE
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Jan 20, 2019
https://github.com/ImageMagick/ImageMagick/issues/1451
d646562
urban-warrior pushed a commit that referenced this issue Jan 20, 2019
https://github.com/ImageMagick/ImageMagick/issues/1451
8a43abe
@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added this to the 7.0.8-25 milestone Jan 20, 2019
@dlemstra dlemstra added the bug label Jan 20, 2019
@nohmask
Copy link

nohmask commented Feb 12, 2019

This was assigned CVE-2019-7395.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
7.0.8-25
Development

No branches or pull requests
4 participants
@dlemstra @nohmask @urban-warrior @twelveand0