Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadMATImage #445

Closed
bestshow opened this issue Apr 26, 2017 · 2 comments
Closed

memory leak in ReadMATImage #445

bestshow opened this issue Apr 26, 2017 · 2 comments
Labels

Comments

@bestshow
Copy link

on ImageMagick 7.0.5-5

The ReadMATImage function in mat.c:1091 allows attackers to cause a denial of service (memory leak) via a crafted file.

#identify $FILE

Direct leak of 152 byte(s) in 1 object(s) allocated from:
#0 0x7fbc6f9c6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
#2 0x982520 in AcquireQuantumInfo MagickCore/quantum.c:118
#3 0x5a7e4c in ReadMATImage coders/mat.c:1091
#4 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#5 0x9e41a7 in ReadStream MagickCore/stream.c:1045
#6 0x7f1855 in PingImage MagickCore/constitute.c:226
#7 0x7f1e08 in PingImages MagickCore/constitute.c:327
#8 0xbb97b4 in IdentifyImageCommand MagickWand/identify.c:319
#9 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#10 0x40f839 in MagickMain utilities/magick.c:149
#11 0x40fa06 in main utilities/magick.c:180
#12 0x7fbc6acd5b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 361508 byte(s) in 4 object(s) allocated from:
#0 0x7fbc6f9c6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
#2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
#3 0x982955 in AcquireQuantumPixels MagickCore/quantum.c:175
#4 0x984573 in SetQuantumDepth MagickCore/quantum.c:693
#5 0x982692 in AcquireQuantumInfo MagickCore/quantum.c:125
#6 0x5a7e4c in ReadMATImage coders/mat.c:1091
#7 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#8 0x9e41a7 in ReadStream MagickCore/stream.c:1045
#9 0x7f1855 in PingImage MagickCore/constitute.c:226
#10 0x7f1e08 in PingImages MagickCore/constitute.c:327
#11 0xbb97b4 in IdentifyImageCommand MagickWand/identify.c:319
#12 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#13 0x40f839 in MagickMain utilities/magick.c:149
#14 0x40fa06 in main utilities/magick.c:180
#15 0x7fbc6acd5b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fbc6f9c7590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
#1 0x48bef5 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
#2 0x48bf9d in AcquireSemaphoreInfo MagickCore/semaphore.c:200
#3 0x9835ac in GetQuantumInfo MagickCore/quantum.c:427
#4 0x982642 in AcquireQuantumInfo MagickCore/quantum.c:122
#5 0x5a7e4c in ReadMATImage coders/mat.c:1091
#6 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#7 0x9e41a7 in ReadStream MagickCore/stream.c:1045
#8 0x7f1855 in PingImage MagickCore/constitute.c:226
#9 0x7f1e08 in PingImages MagickCore/constitute.c:327
#10 0xbb97b4 in IdentifyImageCommand MagickWand/identify.c:319
#11 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#12 0x40f839 in MagickMain utilities/magick.c:149
#13 0x40fa06 in main utilities/magick.c:180
#14 0x7fbc6acd5b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7fbc6f9c6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
#2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
#3 0x982814 in AcquireQuantumPixels MagickCore/quantum.c:166
#4 0x984573 in SetQuantumDepth MagickCore/quantum.c:693
#5 0x982692 in AcquireQuantumInfo MagickCore/quantum.c:125
#6 0x5a7e4c in ReadMATImage coders/mat.c:1091
#7 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#8 0x9e41a7 in ReadStream MagickCore/stream.c:1045
#9 0x7f1855 in PingImage MagickCore/constitute.c:226
#10 0x7f1e08 in PingImages MagickCore/constitute.c:327
#11 0xbb97b4 in IdentifyImageCommand MagickWand/identify.c:319
#12 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#13 0x40f839 in MagickMain utilities/magick.c:149
#14 0x40fa06 in main utilities/magick.c:180
#15 0x7fbc6acd5b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

361756 byte(s) leaked in 7 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadMATImage-1.mat
Author: ADLab of Venustech

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@carnil
Copy link

carnil commented May 1, 2017

This has been assigned CVE-2017-8348

@dlemstra dlemstra closed this as completed May 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants