When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage in coders\mat.c, line 1094
//////////////////////////////////
quantum_info=AcquireQuantumInfo(clone_info,image);
\\\\\\\\\\\\\\\\\\
AcquireQuantumInfo(...) will call function SetQuantumDepth(...) in MagicCore\quantum.c, line 125
//////////////////////////////////
status=SetQuantumDepth(image,quantum_info,image->depth);
\\\\\\\\\\\\\\\\\\
SetQuantumDepth(...) will call function AcquireQuantumPixels(...) in MagicCore\quantum.c, line 693
//////////////////////////////////
AcquireQuantumPixels(..)
{
...
extent=MagickMax(image->columns,image->rows)*quantum; // line 689, can be controlled
...
return(AcquireQuantumPixels(quantum_info,extent)); //line 693
...
}
\\\\\\\\\\\\\\\\\\
image->columns and image->rows can be controlled, as it is assigned in mat.c(line 1092):
//////////////////////////////////
image->columns = MATLAB_HDR.SizeX; // can be controlled
image->rows = MATLAB_HDR.SizeY; // can be controlled
\\\\\\\\\\\\\\\\\\
MATLAB_HDR are diretly from MAT file without checking in mat.c(line 879):
//////////////////////////////////
if (ReadBlob(image,124,(unsigned char *) &MATLAB_HDR.identific) != 124) // can be controlled by modify MAT file
\\\\\\\\\\\\\\\\\\
So, modifying MAT's MATLAB_HDR can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion
ImageMagick 7.0.5-6
$magick identify $FILE
When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage in coders\mat.c, line 1094
//////////////////////////////////
quantum_info=AcquireQuantumInfo(clone_info,image);
\\\\\\\\\\\\\\\\\\
AcquireQuantumInfo(...) will call function SetQuantumDepth(...) in MagicCore\quantum.c, line 125
//////////////////////////////////
status=SetQuantumDepth(image,quantum_info,image->depth);
\\\\\\\\\\\\\\\\\\
SetQuantumDepth(...) will call function AcquireQuantumPixels(...) in MagicCore\quantum.c, line 693
//////////////////////////////////
AcquireQuantumPixels(..)
{
...
extent=MagickMax(image->columns,image->rows)*quantum; // line 689, can be controlled
...
return(AcquireQuantumPixels(quantum_info,extent)); //line 693
...
}
\\\\\\\\\\\\\\\\\\
image->columns and image->rows can be controlled, as it is assigned in mat.c(line 1092):
//////////////////////////////////
image->columns = MATLAB_HDR.SizeX; // can be controlled
image->rows = MATLAB_HDR.SizeY; // can be controlled
\\\\\\\\\\\\\\\\\\
MATLAB_HDR are diretly from MAT file without checking in mat.c(line 879):
//////////////////////////////////
if (ReadBlob(image,124,(unsigned char *) &MATLAB_HDR.identific) != 124) // can be controlled by modify MAT file
\\\\\\\\\\\\\\\\\\
So, modifying MAT's MATLAB_HDR can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion
Reproducer: https://github.com/jgj212/poc/blob/master/ImageMagick-7.0.5-6-memory-exhaustion.MAT
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: