New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
memory exhaustion in ReadICONImage #466
Comments
|
Thanks for reporting this but this would not classify as a memory leak but as a possible memory exhaustion. You can prevent this with the |
|
@dlemstra thank you, i changed the title |
|
No problem and thanks for reporting this |
|
This issue has been assigned CVE-2017-8765 |
ImageMagick 7.0.5-6
$magick identify $FILE
When identify icon file, imagemagick will allocate memory to store colormap in function ReadICONImage in coders\icon.c, line 449
//////////////////////////////////
if (AcquireImageColormap(image,image->colors,exception) ==
MagickFalse)
\\\\\\\\\\\\\\\\\\
image->colors can be controlled, as it is assigned as follow(line 431):
//////////////////////////////////
if ((icon_info.number_colors != 0) || (icon_info.bits_per_pixel <= 16U))
{
image->storage_class=PseudoClass;
image->colors=icon_info.number_colors; //can be controlled
if (image->colors == 0)
image->colors=one << icon_info.bits_per_pixel;
}
\\\\\\\\\\\\\\\\\\
icon_info.number_colors is diretly from icon file without checking( line 400)
//////////////////////////////////
icon_info.number_colors=ReadBlobLSBLong(image); //can be controlled by modify icon file
\\\\\\\\\\\\\\\\\\
So, modifying the number_colors can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion
Reproducer: https://github.com/jgj212/poc/blob/master/ImageMagick-7.0.5-6-colormap-memory-leak.ICON
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: