Skip to content

memory leak in ReadARTImage  #456

Closed
Closed
@bestshow

Description

@bestshow

on ImageMagick 7.0.5-5

The ReadARTImage function in art.c:156 allows attackers to cause a denial of service (memory leak) via a crafted file.

#convert $FILE out.bmp

Direct leak of 152 byte(s) in 1 object(s) allocated from:
#0 0x7f5ffe586b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
#2 0x982520 in AcquireQuantumInfo MagickCore/quantum.c:118
#3 0x50c8d2 in ReadARTImage coders/art.c:156
#4 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#5 0x7f48f5 in ReadImages MagickCore/constitute.c:866
#6 0xadc3e5 in ConvertImageCommand MagickWand/convert.c:639
#7 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#8 0x40f839 in MagickMain utilities/magick.c:149
#9 0x40fa06 in main utilities/magick.c:180
#10 0x7f5ff9895b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 101380 byte(s) in 4 object(s) allocated from:
#0 0x7f5ffe586b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
#2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
#3 0x982955 in AcquireQuantumPixels MagickCore/quantum.c:175
#4 0x984573 in SetQuantumDepth MagickCore/quantum.c:693
#5 0x982692 in AcquireQuantumInfo MagickCore/quantum.c:125
#6 0x50c8d2 in ReadARTImage coders/art.c:156
#7 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#8 0x7f48f5 in ReadImages MagickCore/constitute.c:866
#9 0xadc3e5 in ConvertImageCommand MagickWand/convert.c:639
#10 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x40f839 in MagickMain utilities/magick.c:149
#12 0x40fa06 in main utilities/magick.c:180
#13 0x7f5ff9895b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f5ffe587590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
#1 0x48bef5 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
#2 0x48bf9d in AcquireSemaphoreInfo MagickCore/semaphore.c:200
#3 0x9835ac in GetQuantumInfo MagickCore/quantum.c:427
#4 0x982642 in AcquireQuantumInfo MagickCore/quantum.c:122
#5 0x50c8d2 in ReadARTImage coders/art.c:156
#6 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#7 0x7f48f5 in ReadImages MagickCore/constitute.c:866
#8 0xadc3e5 in ConvertImageCommand MagickWand/convert.c:639
#9 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#10 0x40f839 in MagickMain utilities/magick.c:149
#11 0x40fa06 in main utilities/magick.c:180
#12 0x7f5ff9895b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7f5ffe586b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
#2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
#3 0x982814 in AcquireQuantumPixels MagickCore/quantum.c:166
#4 0x984573 in SetQuantumDepth MagickCore/quantum.c:693
#5 0x982692 in AcquireQuantumInfo MagickCore/quantum.c:125
#6 0x50c8d2 in ReadARTImage coders/art.c:156
#7 0x7f27a7 in ReadImage MagickCore/constitute.c:497
#8 0x7f48f5 in ReadImages MagickCore/constitute.c:866
#9 0xadc3e5 in ConvertImageCommand MagickWand/convert.c:639
#10 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x40f839 in MagickMain utilities/magick.c:149
#12 0x40fa06 in main utilities/magick.c:180
#13 0x7f5ff9895b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

101628 byte(s) leaked in 7 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadARTImage-17.art
Credit:ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions