Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in ReadMATImage #469

Closed
jgj212 opened this issue May 4, 2017 · 2 comments
Closed

memory exhaustion in ReadMATImage #469

jgj212 opened this issue May 4, 2017 · 2 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented May 4, 2017

ImageMagick 7.0.5-6

$magick identify $FILE

When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage in coders\mat.c, line 1094
//////////////////////////////////
quantum_info=AcquireQuantumInfo(clone_info,image);
\\\\\\\\\\\\\\\\\\

AcquireQuantumInfo(...) will call function SetQuantumDepth(...) in MagicCore\quantum.c, line 125
//////////////////////////////////
status=SetQuantumDepth(image,quantum_info,image->depth);
\\\\\\\\\\\\\\\\\\

SetQuantumDepth(...) will call function AcquireQuantumPixels(...) in MagicCore\quantum.c, line 693
//////////////////////////////////
AcquireQuantumPixels(..)
{
...
extent=MagickMax(image->columns,image->rows)*quantum; // line 689, can be controlled
...
return(AcquireQuantumPixels(quantum_info,extent)); //line 693
...
}
\\\\\\\\\\\\\\\\\\

image->columns and image->rows can be controlled, as it is assigned in mat.c(line 1092):
//////////////////////////////////
image->columns = MATLAB_HDR.SizeX; // can be controlled
image->rows = MATLAB_HDR.SizeY; // can be controlled
\\\\\\\\\\\\\\\\\\

MATLAB_HDR are diretly from MAT file without checking in mat.c(line 879):
//////////////////////////////////
if (ReadBlob(image,124,(unsigned char *) &MATLAB_HDR.identific) != 124) // can be controlled by modify MAT file
\\\\\\\\\\\\\\\\\\

So, modifying MAT's MATLAB_HDR can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion

Reproducer: https://github.com/jgj212/poc/blob/master/ImageMagick-7.0.5-6-memory-exhaustion.MAT
Credit: ADLab of Venustech

@dlemstra
Copy link
Member

dlemstra commented May 4, 2017

Thanks for reporting this. It looks like we are not calling SetImageExtent at the correct moment.

@bastien-roucaries
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants