Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadPSDChannel #462

Closed
bestshow opened this issue Apr 28, 2017 · 6 comments
Closed

memory leak in ReadPSDChannel #462

bestshow opened this issue Apr 28, 2017 · 6 comments
Labels

Comments

@bestshow
Copy link

bestshow commented Apr 28, 2017

on ImageMagick 7.0.5-5

The ReadPSDChannel function in psd.c:1341 allows attackers to cause a denial of service (memory leak) via a crafted file.

#convert $FILE out.bmp
=================================================================

Direct leak of 7152 byte(s) in 1 object(s) allocated from:
    #0 0x7fcc6d162b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7fcc69adfd42 in inflateInit2_ (/lib64/libz.so.1+0x7d42)
    #2 0x668d16 in ReadPSDChannel coders/psd.c:1341
    #3 0x669834 in ReadPSDLayer coders/psd.c:1424
    #4 0x66c6e1 in ReadPSDLayers coders/psd.c:1788
    #5 0x66e7d1 in ReadPSDImage coders/psd.c:2115
    #6 0x7f27a7 in ReadImage MagickCore/constitute.c:497
    #7 0x7f48f5 in ReadImages MagickCore/constitute.c:866
    #8 0xadc3e5 in ConvertImageCommand MagickWand/convert.c:639
    #9 0xc10308 in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x40f839 in MagickMain utilities/magick.c:149
    #11 0x40fa06 in main utilities/magick.c:180
    #12 0x7fcc68471b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

7152 byte(s) leaked in 1 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadPSDImage-24.psd
Credit:ADLab of Venustech

@asarubbo
Copy link

@bestshow
it is great that you spend time in fuzzing research and report bugs, but in my opinion is worth ask a CVE for each memory leak you find..unless you can demonstrate how much dangerous that leak can be.
Personally I never enable the leak sanitizer, but, obviously you are free to do whatever.
See also: https://bugs.gentoo.org/show_bug.cgi?id=566038#c3

@bestshow
Copy link
Author

bestshow commented Apr 30, 2017

@asarubbo Thanks for your advice.

@dlemstra dlemstra added the bug label May 2, 2017
@dlemstra
Copy link
Member

dlemstra commented May 3, 2017

@bestshow Could you place the report inside a code block next time? You keep referencing unrelated issues because of the #1 part.

dlemstra added a commit that referenced this issue May 3, 2017
dlemstra added a commit that referenced this issue May 3, 2017
@attritionorg
Copy link

Including how much memory is leaked is very helpful information in determining if the issue poses real risk.

@bestshow
Copy link
Author

bestshow commented May 4, 2017

@dlemstra OK,I will do it next time.

@nohmask
Copy link

nohmask commented Sep 8, 2017

This was assigned CVE-2017-9440.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants