Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leaks in AcquireMagickMemory of MagickCore/memory.c #1585

Closed
3 tasks done
SuhwanSong opened this issue Jun 10, 2019 · 5 comments
Closed
3 tasks done

memory leaks in AcquireMagickMemory of MagickCore/memory.c #1585

SuhwanSong opened this issue Jun 10, 2019 · 5 comments
Labels
Milestone

Comments

@SuhwanSong
Copy link

SuhwanSong commented Jun 10, 2019

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap buffer overflow/heap-use-after-free vulnerability in MagickCore/resize.c:2823:28 in .omp_outlined.debug_.72 with the same input.

And also memory leaks in AcquireMagickMemory of MagickCore/memory.c:478:10
this still exists #1558

It sometimes doesn't occur so needs to be executed for several times.

I found that this bug was not reproduced but it is reproduced with certain arguments. #1500

Steps to Reproduce

run cmd:
magick "-black-point-compensation" "-weight" "63" "(" "magick:logo" "-normalize" "-resize" "892%-38-49" ")" "(" "magick:wizard" "-preview" "Spiff" "-solarize" "35%" "-cycle" "813" ")" "(" "magick:granite" "-preview" "Blur" "-draw" ""rotate" "205"" "-colors" "109" ")" "-crop" "333x497" "-print" ""

This is about the heap-buffer-overflow.

=================================================================
==19621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc8b5310d28 at pc 0x000000f00dff bp 0x7ffc7c6a9a50 sp 0x7ffc7c6a9a48
READ of size 4 at 0x7fc8b5310d28 thread T0
    #0 0xf00dfe in .omp_outlined._debug__.72 MagickCore/resize.c:2823:28
    #1 0xf019b6 in .omp_outlined..73 MagickCore/resize.c:2706:3
    #2 0x7fc8c2077452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7fc8c20311b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7fc8c20322b5 in __kmp_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x372b5)
    #5 0x7fc8c20257be in __kmpc_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x2a7be)
    #6 0xef317f in VerticalFilter MagickCore/resize.c:2703:11
    #7 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7fc8c1a13b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x425819 in _start (/usr/local/bin/magick+0x425819)

0x7fc8b5310d28 is located 1832 bytes to the right of 1175040-byte region [0x7fc8b51f1800,0x7fc8b5310600)
allocated by thread T0 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb11bac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0xb188c5 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0xb1f66b in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x53f46e in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0xef2791 in VerticalFilter MagickCore/resize.c:2681:7
    #7 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7fc8c1a13b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/resize.c:2823:28 in .omp_outlined._debug__.72

And this is about heap-use-after-free.

=================================================================
==24235==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2fd1712c88 at pc 0x000000f00dff bp 0x7ffef1b2acd0 sp 0x7ffef1b2acc8
READ of size 4 at 0x7f2fd1712c88 thread T0
    #0 0xf00dfe in .omp_outlined._debug__.72 MagickCore/resize.c:2823:28
    #1 0xf019b6 in .omp_outlined..73 MagickCore/resize.c:2706:3
    #2 0x7f2fde527452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f2fde4e11b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f2fde4e22b5 in __kmp_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x372b5)
    #5 0x7f2fde4d57be in __kmpc_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x2a7be)
    #6 0xef317f in VerticalFilter MagickCore/resize.c:2703:11
    #7 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7f2fddec3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x425819 in _start (/usr/local/bin/magick+0x425819)

0x7f2fd1712c88 is located 1160 bytes inside of 1566720-byte region [0x7f2fd1712800,0x7f2fd1891000)
freed by thread T0 here:
    #0 0x4ef768 in __interceptor_free (/usr/local/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafde01 in RelinquishPixelCachePixels MagickCore/cache.c:972:40
    #3 0xb12119 in OpenPixelCache MagickCore/cache.c:3757:19
    #4 0xb188c5 in GetImagePixelCache MagickCore/cache.c:1754:18
    #5 0xb1f66b in SyncImagePixelCache MagickCore/cache.c:5494:28
    #6 0x53f46e in SetImageStorageClass MagickCore/image.c:2627:10
    #7 0xef2791 in VerticalFilter MagickCore/resize.c:2681:7
    #8 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #9 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #10 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #11 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #12 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #13 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #14 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #15 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #16 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #17 0x531745 in MagickMain utilities/magick.c:149:10
    #18 0x531091 in main utilities/magick.c:180:10
    #19 0x7f2fddec3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb11bac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0xb188c5 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0xb1f66b in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x54833f in SetImageExtent MagickCore/image.c:2668:10
    #6 0x53f1c3 in CloneImage MagickCore/image.c:911:7
    #7 0xef0272 in ResizeImage MagickCore/resize.c:2940:18
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7f2fddec3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/resize.c:2823:28 in .omp_outlined._debug__.72

About memory leaks in AcquireMagickMemory of MagickCore/memory.c:478:10

==7040==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73928 byte(s) in 18 object(s) allocated from:
    #0 0x4e53b7 in __interceptor_malloc (install/bin/magick+0x4e53b7)
    #1 0x7f26dee6f8b6 in AcquireMagickMemory MagickCore/memory.c:478:10
    #2 0x7f26dee6f91f in AcquireQuantumMemory MagickCore/memory.c:551:10
    #3 0x7f26df03be77 in AcquireString MagickCore/string.c:142:24
    #4 0x7f26df03ca21 in CloneString MagickCore/string.c:300:20
    #5 0x7f26dec7b28a in CloneDrawInfo MagickCore/draw.c:310:12
    #6 0x7f26dea7108b in AnnotateImage MagickCore/annotate.c:267:12
    #7 0x7f26dee7e6ba in MontageImageList MagickCore/montage.c:842:22
    #8 0x7f26dee78821 in MontageImages MagickCore/montage.c:316:17
    #9 0x7f26decf1ba4 in PreviewImage MagickCore/effect.c:2747:17
    #10 0x7f26de4f3581 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x7f26de4e39b8 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x7f26de509045 in CLIOption MagickWand/operation.c:5270:16
    #13 0x7f26de348749 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x7f26de3499ba in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x7f26de3940d2 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x526fb5 in MagickMain utilities/magick.c:149:10
    #17 0x526901 in main utilities/magick.c:180:10
    #18 0x7f26d8925b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: 73928 byte(s) leaked in 18 allocation(s).

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information: CC=clang-7 CXX=clang++-7
    (heap-buffer-overflow/heap-use-after-free are triggered when compiled with option '--disable-shared')
    (memory leak is triggered when compiled without option '--disable-shared')

@SuhwanSong SuhwanSong changed the title heap-buffer-overflow in MagicCore/resize.c heap-buffer-overflow/heap-use-after-free in MagicCore/resize.c Jun 10, 2019
@SuhwanSong SuhwanSong changed the title heap-buffer-overflow/heap-use-after-free in MagicCore/resize.c heap-buffer-overflow/heap-use-after-free in MagicCore/resize.c or memory leaks in AcquireMagickMemory of MagickCore/memory.c Jun 11, 2019
@SuhwanSong
Copy link
Author

SuhwanSong commented Jun 16, 2019

When I followed this comment, ( with this option --disable-openmp) then I got similar result with this command.

run cmd:
magick "-black-point-compensation" "-weight" "63" "(" "magick:logo" "-normalize" "-resize" "892%-38-49" ")" "(" "magick:wizard" "-preview" "Spiff" "-solarize" "35%" "-cycle" "813" ")" "(" "magick:granite" "-preview" "Blur" "-draw" ""rotate" "205"" "-colors" "109" ")" "-crop" "333x497" "-print" "-C" ""

ASAN result.

==5885==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73928 byte(s) in 18 object(s) allocated from:
    #0 0x4e5397 in __interceptor_malloc (install/bin/magick+0x4e5397)
    #1 0x7f9f122aa3d6 in AcquireMagickMemory MagickCore/memory.c:478:10
    #2 0x7f9f122aa43f in AcquireQuantumMemory MagickCore/memory.c:551:10
    #3 0x7f9f1243aec7 in AcquireString MagickCore/string.c:142:24
    #4 0x7f9f1243ba71 in CloneString MagickCore/string.c:300:20
    #5 0x7f9f12142eea in CloneDrawInfo MagickCore/draw.c:310:12
    #6 0x7f9f11f973db in AnnotateImage MagickCore/annotate.c:267:12
    #7 0x7f9f122b91da in MontageImageList MagickCore/montage.c:842:22
    #8 0x7f9f122b3341 in MontageImages MagickCore/montage.c:316:17
    #9 0x7f9f121a4424 in PreviewImage MagickCore/effect.c:2747:17
    #10 0x7f9f11a19841 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x7f9f11a09c78 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x7f9f11a2f305 in CLIOption MagickWand/operation.c:5270:16
    #13 0x7f9f11870a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x7f9f11871d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x7f9f118bbba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x526f95 in MagickMain utilities/magick.c:149:10
    #17 0x5268e1 in main utilities/magick.c:180:10
    #18 0x7f9f0c332b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: 73928 byte(s) leaked in 18 allocation(s).

This bug exists when compiled with --disable-openmp option.
Also the program doesn't trigger exception, but there's a memory leak.

Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-16 https://imagemagick.org

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jun 16, 2019
@dlemstra dlemstra added this to the 7.0.8-50 milestone Jun 16, 2019
@SuhwanSong
Copy link
Author

@urban-warrior
Thanks for patching.

How can I get CVE from bugs I've reported?
any team in ImageMagick that reports bugs to get CVE?

@nohmask
Copy link

nohmask commented Jul 8, 2019

This was assigned CVE-2019-13301.

@ret2libc
Copy link

Which commits fix this CVE?

@SuhwanSong SuhwanSong changed the title heap-buffer-overflow/heap-use-after-free in MagicCore/resize.c or memory leaks in AcquireMagickMemory of MagickCore/memory.c memory leaks in AcquireMagickMemory of MagickCore/memory.c Oct 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants