Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in SVGKeyValuePairs of coders/svg.c #1533

Closed
galycannon opened this issue Mar 28, 2019 · 5 comments

Comments

Projects
None yet
5 participants
@galycannon
Copy link

commented Mar 28, 2019

Prerequisites

  • [Y] I have written a descriptive issue title
  • [Y] I have verified that I am using the latest version of ImageMagick
  • [Y] I have searched open and closed issues to ensure it has not already been reported

Description

There is a memory leak vulnerability in function SVGKeyValuePairs of coders/svg.c.

Steps to Reproduce

poc
magick convert $poc /dev/null
=================================================================
==8783==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 144 byte(s) in 1 object(s) allocated from:
#0 0x7f1f6d7c1961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x441b30 in ResizeMagickMemory MagickCore/memory.c:1302
#2 0x441bb4 in ResizeQuantumMemory MagickCore/memory.c:1366
#3 0x6d3c1c in SVGKeyValuePairs coders/svg.c:752
#4 0x6df888 in SVGEndElement coders/svg.c:2811
#5 0x7f1f6a0ae91c (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4c91c)

Direct leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x7f1f6d7c1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x440828 in AcquireMagickMemory MagickCore/memory.c:478
#2 0x44087c in AcquireQuantumMemory MagickCore/memory.c:551
#3 0x6d3b13 in SVGKeyValuePairs coders/svg.c:733
#4 0x6df888 in SVGEndElement coders/svg.c:2811
#5 0x7f1f6a0ae91c (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4c91c)

Indirect leak of 71185 byte(s) in 17 object(s) allocated from:
#0 0x7f1f6d7c1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x440828 in AcquireMagickMemory MagickCore/memory.c:478
#2 0x44087c in AcquireQuantumMemory MagickCore/memory.c:551
#3 0x4c22c5 in AcquireString MagickCore/string.c:142
#4 0x6d3cad in SVGKeyValuePairs coders/svg.c:760
#5 0x6df888 in SVGEndElement coders/svg.c:2811
#6 0x7f1f6a0ae91c (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4c91c)

Indirect leak of 8194 byte(s) in 2 object(s) allocated from:
#0 0x7f1f6d7c1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x440828 in AcquireMagickMemory MagickCore/memory.c:478
#2 0x44087c in AcquireQuantumMemory MagickCore/memory.c:551
#3 0x4c22c5 in AcquireString MagickCore/string.c:142
#4 0x6d3dd3 in SVGKeyValuePairs coders/svg.c:766
#5 0x6df888 in SVGEndElement coders/svg.c:2811
#6 0x7f1f6a0ae91c (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4c91c)

SUMMARY: AddressSanitizer: 79603 byte(s) leaked in 21 allocation(s).

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-36 Q16 x86_64 2019-03-28 https://imagemagick.org
    Copyright: ? 1999-2019 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.2 LTS
    Release: 16.04
    Codename: xenial
  • Additional information:

urban-warrior pushed a commit that referenced this issue Mar 29, 2019

Cristy

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 29, 2019

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask

This comment has been minimized.

Copy link

commented Apr 1, 2019

This was assigned CVE-2019-10649.

@butterflyhack

This comment has been minimized.

Copy link

commented Jun 3, 2019

This was assigned CVE-2019-10649.

I want to know how long CVE id can be assigned? I request a CVE id to CVE Assignment Team , but three months passed, the CVE Assignment Team do not reply on me.

@dlemstra dlemstra added the bug label Jun 3, 2019

@dlemstra dlemstra closed this Jun 3, 2019

@nohmask

This comment has been minimized.

Copy link

commented Jun 27, 2019

This was assigned CVE-2019-10649.

I want to know how long CVE id can be assigned? I request a CVE id to CVE Assignment Team , but three months passed, the CVE Assignment Team do not reply on me.

The duration is unknown. If there is no response, a different approach works.

@butterflyhack

This comment has been minimized.

Copy link

commented Jun 27, 2019

This was assigned CVE-2019-10649.

I want to know how long CVE id can be assigned? I request a CVE id to CVE Assignment Team , but three months passed, the CVE Assignment Team do not reply on me.

The duration is unknown. If there is no response, a different approach works.

Please tell me how to take a different approach works. thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.