Skip to content

memory leaks in AcquireMagickMemory of MagickCore/memory.c #1585

Closed
@SuhwanSong

Description

@SuhwanSong

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap buffer overflow/heap-use-after-free vulnerability in MagickCore/resize.c:2823:28 in .omp_outlined.debug_.72 with the same input.

And also memory leaks in AcquireMagickMemory of MagickCore/memory.c:478:10
this still exists #1558

It sometimes doesn't occur so needs to be executed for several times.

I found that this bug was not reproduced but it is reproduced with certain arguments. #1500

Steps to Reproduce

run cmd:
magick "-black-point-compensation" "-weight" "63" "(" "magick:logo" "-normalize" "-resize" "892%-38-49" ")" "(" "magick:wizard" "-preview" "Spiff" "-solarize" "35%" "-cycle" "813" ")" "(" "magick:granite" "-preview" "Blur" "-draw" ""rotate" "205"" "-colors" "109" ")" "-crop" "333x497" "-print" ""

This is about the heap-buffer-overflow.

=================================================================
==19621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc8b5310d28 at pc 0x000000f00dff bp 0x7ffc7c6a9a50 sp 0x7ffc7c6a9a48
READ of size 4 at 0x7fc8b5310d28 thread T0
    #0 0xf00dfe in .omp_outlined._debug__.72 MagickCore/resize.c:2823:28
    #1 0xf019b6 in .omp_outlined..73 MagickCore/resize.c:2706:3
    #2 0x7fc8c2077452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7fc8c20311b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7fc8c20322b5 in __kmp_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x372b5)
    #5 0x7fc8c20257be in __kmpc_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x2a7be)
    #6 0xef317f in VerticalFilter MagickCore/resize.c:2703:11
    #7 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7fc8c1a13b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x425819 in _start (/usr/local/bin/magick+0x425819)

0x7fc8b5310d28 is located 1832 bytes to the right of 1175040-byte region [0x7fc8b51f1800,0x7fc8b5310600)
allocated by thread T0 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb11bac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0xb188c5 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0xb1f66b in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x53f46e in SetImageStorageClass MagickCore/image.c:2627:10
    #6 0xef2791 in VerticalFilter MagickCore/resize.c:2681:7
    #7 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7fc8c1a13b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/resize.c:2823:28 in .omp_outlined._debug__.72

And this is about heap-use-after-free.

=================================================================
==24235==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2fd1712c88 at pc 0x000000f00dff bp 0x7ffef1b2acd0 sp 0x7ffef1b2acc8
READ of size 4 at 0x7f2fd1712c88 thread T0
    #0 0xf00dfe in .omp_outlined._debug__.72 MagickCore/resize.c:2823:28
    #1 0xf019b6 in .omp_outlined..73 MagickCore/resize.c:2706:3
    #2 0x7f2fde527452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
    #3 0x7f2fde4e11b6  (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
    #4 0x7f2fde4e22b5 in __kmp_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x372b5)
    #5 0x7f2fde4d57be in __kmpc_fork_call (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x2a7be)
    #6 0xef317f in VerticalFilter MagickCore/resize.c:2703:11
    #7 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7f2fddec3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x425819 in _start (/usr/local/bin/magick+0x425819)

0x7f2fd1712c88 is located 1160 bytes inside of 1566720-byte region [0x7f2fd1712800,0x7f2fd1891000)
freed by thread T0 here:
    #0 0x4ef768 in __interceptor_free (/usr/local/bin/magick+0x4ef768)
    #1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
    #2 0xafde01 in RelinquishPixelCachePixels MagickCore/cache.c:972:40
    #3 0xb12119 in OpenPixelCache MagickCore/cache.c:3757:19
    #4 0xb188c5 in GetImagePixelCache MagickCore/cache.c:1754:18
    #5 0xb1f66b in SyncImagePixelCache MagickCore/cache.c:5494:28
    #6 0x53f46e in SetImageStorageClass MagickCore/image.c:2627:10
    #7 0xef2791 in VerticalFilter MagickCore/resize.c:2681:7
    #8 0xef0442 in ResizeImage MagickCore/resize.c:2961:14
    #9 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #10 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #11 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #12 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #13 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #14 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #15 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #16 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #17 0x531745 in MagickMain utilities/magick.c:149:10
    #18 0x531091 in main utilities/magick.c:180:10
    #19 0x7f2fddec3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x4f09b0 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4f09b0)
    #1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
    #2 0xb11bac in OpenPixelCache MagickCore/cache.c:3728:46
    #3 0xb188c5 in GetImagePixelCache MagickCore/cache.c:1754:18
    #4 0xb1f66b in SyncImagePixelCache MagickCore/cache.c:5494:28
    #5 0x54833f in SetImageExtent MagickCore/image.c:2668:10
    #6 0x53f1c3 in CloneImage MagickCore/image.c:911:7
    #7 0xef0272 in ResizeImage MagickCore/resize.c:2940:18
    #8 0xefb6bd in ThumbnailImage MagickCore/resize.c:3703:21
    #9 0xd0cdfd in PreviewImage MagickCore/effect.c:2337:15
    #10 0x13f0c33 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x13e0af5 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x1406e7c in CLIOption MagickWand/operation.c:5270:16
    #13 0x128a9db in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x128bcf2 in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x128e457 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x531745 in MagickMain utilities/magick.c:149:10
    #17 0x531091 in main utilities/magick.c:180:10
    #18 0x7f2fddec3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/resize.c:2823:28 in .omp_outlined._debug__.72

About memory leaks in AcquireMagickMemory of MagickCore/memory.c:478:10

==7040==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73928 byte(s) in 18 object(s) allocated from:
    #0 0x4e53b7 in __interceptor_malloc (install/bin/magick+0x4e53b7)
    #1 0x7f26dee6f8b6 in AcquireMagickMemory MagickCore/memory.c:478:10
    #2 0x7f26dee6f91f in AcquireQuantumMemory MagickCore/memory.c:551:10
    #3 0x7f26df03be77 in AcquireString MagickCore/string.c:142:24
    #4 0x7f26df03ca21 in CloneString MagickCore/string.c:300:20
    #5 0x7f26dec7b28a in CloneDrawInfo MagickCore/draw.c:310:12
    #6 0x7f26dea7108b in AnnotateImage MagickCore/annotate.c:267:12
    #7 0x7f26dee7e6ba in MontageImageList MagickCore/montage.c:842:22
    #8 0x7f26dee78821 in MontageImages MagickCore/montage.c:316:17
    #9 0x7f26decf1ba4 in PreviewImage MagickCore/effect.c:2747:17
    #10 0x7f26de4f3581 in CLISimpleOperatorImage MagickWand/operation.c:2964:21
    #11 0x7f26de4e39b8 in CLISimpleOperatorImages MagickWand/operation.c:3685:12
    #12 0x7f26de509045 in CLIOption MagickWand/operation.c:5270:16
    #13 0x7f26de348749 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
    #14 0x7f26de3499ba in MagickImageCommand MagickWand/magick-cli.c:796:5
    #15 0x7f26de3940d2 in MagickCommandGenesis MagickWand/mogrify.c:185:14
    #16 0x526fb5 in MagickMain utilities/magick.c:149:10
    #17 0x526901 in main utilities/magick.c:180:10
    #18 0x7f26d8925b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: 73928 byte(s) leaked in 18 allocation(s).

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10

  • Environment (Operating system, version and so on):
    Description: Ubuntu 18.04.1 LTS
    Release: 18.04
    Codename: bionic

  • Additional information: CC=clang-7 CXX=clang++-7
    (heap-buffer-overflow/heap-use-after-free are triggered when compiled with option '--disable-shared')
    (memory leak is triggered when compiled without option '--disable-shared')

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions