New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
memory exhaustion in ReadTGAImage #472
Comments
|
With the latest IM 7.0.5-6 compiled with afl-clang, we cannot reproduce the problem you posted. We get expected results: |
|
@mikayla-grace Are you testing on 32bit os or 64 bit os? On 32bit os, the overflow will not happend, this may cause this code path will not hit. I will test it again, and i use gcc to compile the IM 7.0.5-6 |
|
Just tested this on a 64-bit build of Windows: And with a debugger I get the following values: image->colors=one << tga_info.bits_per_pixel; // 4294967296
if (image->colors > ((~0UL)/sizeof(*image->colormap))) // 4294967296 > 48806446
ThrowReaderException(CorruptImageError,"ImproperImageHeader"); |
|
this line is right i am not sure whether next line will trigger before allocate memory with size_0x100000000 @dlemstra thank you. i will test it ago at tomorrow. |
|
@dlemstra @mikayla-grace I found that Cristy commit a patch to this issue a day ago. Maybe he forget to It is here : |
|
Does this affect V6 ? I have not found the commit |
|
this is CVE-2017-11170 memory exhaustion in ReadTGAImage |
|
This is the IM6 commit: ea03f17 |
ImageMagick 7.0.5-6
$magick identify $FILE
When identify VST file, imagemagick will allocate memory to store data in function ReadTGAImage in coders\tga.c (line 274)
tga_info.bits_per_pixel is diretly from VST file without checking in tga.c (line 231):
By review the founction code, tga_info.bits_per_pixel max valid value is 32.
On 32bit os, size_t one will be 32bit, so image->colors can be overflow to 0.
On 64bit os, size_t one will be 64bit, so image->colors can be large as 0x100000000(64GB).
Normally, this will not cause problem because image->storage_class is equal PseudoClass.
But image->storage_class is also can be controlled , it is assigned as follow
image_type is diretly from VST file
Memory allocation is earlly than the security checking
So, modifying the image_type and bits_per_pixel can cause ImageMagick to allocate a large amount of memory, this may cause a memory exhaustion
Reproducer: https://github.com/jgj212/poc/blob/master/ImageMagick-7.0.5-6-memory-exhaustion.VST
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: