Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadPSDChannel #462

Closed
bestshow opened this issue Apr 28, 2017 · 6 comments

Comments

Projects
None yet
5 participants
@bestshow
Copy link

commented Apr 28, 2017

on ImageMagick 7.0.5-5

The ReadPSDChannel function in psd.c:1341 allows attackers to cause a denial of service (memory leak) via a crafted file.

#convert $FILE out.bmp
=================================================================

Direct leak of 7152 byte(s) in 1 object(s) allocated from:
    #0 0x7fcc6d162b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7fcc69adfd42 in inflateInit2_ (/lib64/libz.so.1+0x7d42)
    #2 0x668d16 in ReadPSDChannel coders/psd.c:1341
    #3 0x669834 in ReadPSDLayer coders/psd.c:1424
    #4 0x66c6e1 in ReadPSDLayers coders/psd.c:1788
    #5 0x66e7d1 in ReadPSDImage coders/psd.c:2115
    #6 0x7f27a7 in ReadImage MagickCore/constitute.c:497
    #7 0x7f48f5 in ReadImages MagickCore/constitute.c:866
    #8 0xadc3e5 in ConvertImageCommand MagickWand/convert.c:639
    #9 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x40f839 in MagickMain utilities/magick.c:149
    #11 0x40fa06 in main utilities/magick.c:180
    #12 0x7fcc68471b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

7152 byte(s) leaked in 1 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadPSDImage-24.psd
Credit:ADLab of Venustech

@asarubbo

This comment has been minimized.

Copy link

commented Apr 30, 2017

@bestshow
it is great that you spend time in fuzzing research and report bugs, but in my opinion is worth ask a CVE for each memory leak you find..unless you can demonstrate how much dangerous that leak can be.
Personally I never enable the leak sanitizer, but, obviously you are free to do whatever.
See also: https://bugs.gentoo.org/show_bug.cgi?id=566038#c3

@bestshow

This comment has been minimized.

Copy link
Author

commented Apr 30, 2017

@asarubbo Thanks for your advice.

@dlemstra dlemstra added the bug label May 2, 2017

@dlemstra

This comment has been minimized.

Copy link
Member

commented May 3, 2017

@bestshow Could you place the report inside a code block next time? You keep referencing unrelated issues because of the #1 part.

dlemstra added a commit that referenced this issue May 3, 2017

dlemstra added a commit that referenced this issue May 3, 2017

@attritionorg

This comment has been minimized.

Copy link

commented May 4, 2017

Including how much memory is leaked is very helpful information in determining if the issue poses real risk.

@bestshow

This comment has been minimized.

Copy link
Author

commented May 4, 2017

@dlemstra OK,I will do it next time.

@nohmask

This comment has been minimized.

Copy link

commented Sep 8, 2017

This was assigned CVE-2017-9440.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.