Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadJNGImage #475

Closed
bestshow opened this issue May 6, 2017 · 3 comments
Closed

memory leak in ReadJNGImage #475

bestshow opened this issue May 6, 2017 · 3 comments

Comments

@bestshow
Copy link

bestshow commented May 6, 2017

on ImageMagick 7.0.5-6 Q16

The ReadJNGImage function in png.c:5241 allows attackers to cause a denial of service (memory leak) via a crafted file.

#identify $FILE

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x41428a in AcquireImage MagickCore/image.c:169
    #3 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #4 0x720ed9 in ReadJNGImage coders/png.c:5241
    #5 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #6 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #7 0x7f15ff in PingImage MagickCore/constitute.c:226
    #8 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #9 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #10 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x40f839 in MagickMain utilities/magick.c:149
    #12 0x40fa06 in main utilities/magick.c:180
    #13 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x71e334 in ReadOneJNGImage coders/png.c:4684
    #3 0x720ed9 in ReadJNGImage coders/png.c:5241
    #4 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #5 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #6 0x7f15ff in PingImage MagickCore/constitute.c:226
    #7 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #8 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #9 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x40f839 in MagickMain utilities/magick.c:149
    #11 0x40fa06 in main utilities/magick.c:180
    #12 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x416459 in AcquireImageInfo MagickCore/image.c:347
    #3 0x4193aa in CloneImageInfo MagickCore/image.c:952
    #4 0x425570 in SyncImageSettings MagickCore/image.c:4051
    #5 0x416002 in AcquireImage MagickCore/image.c:290
    #6 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #7 0x720ed9 in ReadJNGImage coders/png.c:5241
    #8 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #9 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #10 0x7f15ff in PingImage MagickCore/constitute.c:226
    #11 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #12 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #13 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #14 0x40f839 in MagickMain utilities/magick.c:149
    #15 0x40fa06 in main utilities/magick.c:180
    #16 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
    #3 0x79a9e8 in AcquirePixelCache MagickCore/cache.c:195
    #4 0x4149a1 in AcquireImage MagickCore/image.c:206
    #5 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #6 0x720ed9 in ReadJNGImage coders/png.c:5241
    #7 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #8 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #9 0x7f15ff in PingImage MagickCore/constitute.c:226
    #10 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #11 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #12 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40f839 in MagickMain utilities/magick.c:149
    #14 0x40fa06 in main utilities/magick.c:180
    #15 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
    #3 0x4490c6 in AcquirePixelChannelMap MagickCore/pixel.c:101
    #4 0x414a2a in AcquireImage MagickCore/image.c:208
    #5 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #6 0x720ed9 in ReadJNGImage coders/png.c:5241
    #7 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #8 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #9 0x7f15ff in PingImage MagickCore/constitute.c:226
    #10 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #11 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #12 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40f839 in MagickMain utilities/magick.c:149
    #14 0x40fa06 in main utilities/magick.c:180
    #15 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 352 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
    #3 0x79b20e in AcquirePixelCacheNexus MagickCore/cache.c:268
    #4 0x79add9 in AcquirePixelCache MagickCore/cache.c:211
    #5 0x4149a1 in AcquireImage MagickCore/image.c:206
    #6 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #7 0x720ed9 in ReadJNGImage coders/png.c:5241
    #8 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #9 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #10 0x7f15ff in PingImage MagickCore/constitute.c:226
    #11 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #12 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #13 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #14 0x40f839 in MagickMain utilities/magick.c:149
    #15 0x40fa06 in main utilities/magick.c:180
    #16 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 280 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf6b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x783bd5 in CloneBlobInfo MagickCore/blob.c:503
    #3 0x414a6f in AcquireImage MagickCore/image.c:209
    #4 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #5 0x720ed9 in ReadJNGImage coders/png.c:5241
    #6 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #7 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #8 0x7f15ff in PingImage MagickCore/constitute.c:226
    #9 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #10 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #11 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40f839 in MagickMain utilities/magick.c:149
    #13 0x40fa06 in main utilities/magick.c:180
    #14 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf7590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
    #1 0x48bef5 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x48bf9d in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x79b046 in AcquirePixelCache MagickCore/cache.c:228
    #4 0x4149a1 in AcquireImage MagickCore/image.c:206
    #5 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #6 0x720ed9 in ReadJNGImage coders/png.c:5241
    #7 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #8 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #9 0x7f15ff in PingImage MagickCore/constitute.c:226
    #10 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #11 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #12 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40f839 in MagickMain utilities/magick.c:149
    #14 0x40fa06 in main utilities/magick.c:180
    #15 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf7590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
    #1 0x43ec4c in AcquireAlignedMemory MagickCore/memory.c:261
    #2 0x79b125 in AcquirePixelCacheNexus MagickCore/cache.c:264
    #3 0x79add9 in AcquirePixelCache MagickCore/cache.c:211
    #4 0x4149a1 in AcquireImage MagickCore/image.c:206
    #5 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #6 0x720ed9 in ReadJNGImage coders/png.c:5241
    #7 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #8 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #9 0x7f15ff in PingImage MagickCore/constitute.c:226
    #10 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #11 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #12 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40f839 in MagickMain utilities/magick.c:149
    #14 0x40fa06 in main utilities/magick.c:180
    #15 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf7590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
    #1 0x48bef5 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x48bf9d in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x79afd6 in AcquirePixelCache MagickCore/cache.c:226
    #4 0x4149a1 in AcquireImage MagickCore/image.c:206
    #5 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #6 0x720ed9 in ReadJNGImage coders/png.c:5241
    #7 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #8 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #9 0x7f15ff in PingImage MagickCore/constitute.c:226
    #10 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #11 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #12 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40f839 in MagickMain utilities/magick.c:149
    #14 0x40fa06 in main utilities/magick.c:180
    #15 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf7590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
    #1 0x48bef5 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x48bf9d in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x788581 in GetBlobInfo MagickCore/blob.c:1413
    #4 0x783cb9 in CloneBlobInfo MagickCore/blob.c:506
    #5 0x414a6f in AcquireImage MagickCore/image.c:209
    #6 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #7 0x720ed9 in ReadJNGImage coders/png.c:5241
    #8 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #9 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #10 0x7f15ff in PingImage MagickCore/constitute.c:226
    #11 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #12 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #13 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #14 0x40f839 in MagickMain utilities/magick.c:149
    #15 0x40fa06 in main utilities/magick.c:180
    #16 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fd3a5bf7590 in __interceptor_posix_memalign ../../../../libsanitizer/asan/asan_malloc_linux.cc:128
    #1 0x48bef5 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x48bf9d in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x414b7d in AcquireImage MagickCore/image.c:213
    #4 0x71e3f1 in ReadOneJNGImage coders/png.c:4690
    #5 0x720ed9 in ReadJNGImage coders/png.c:5241
    #6 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #7 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #8 0x7f15ff in PingImage MagickCore/constitute.c:226
    #9 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #10 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #11 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40f839 in MagickMain utilities/magick.c:149
    #13 0x40fa06 in main utilities/magick.c:180
    #14 0x7fd3a0f05b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

50096 byte(s) leaked in 12 allocation(s).

testcase: https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadJNGImage-png5241.jng
Credit: ADLab of Venustech

@mikayla-grace
Copy link

With the latest IM 7.0.5-6 compiled with afl-clang, we cannot reproduce the problem you posted. We get expected results:

$ identify memory-leak-in-ReadJNGImage-png5241.mng
identify: improper image header `memory-leak-in-ReadJNGImage-png5241.mng' @ error/png.c/ReadOneJNGImage/5227.

@bestshow
Copy link
Author

bestshow commented May 7, 2017

With the latest IM 7.0.5-6 Q16 compiled with afl-clang , and please set CFLAGS="-fsanitize=address" , it will reproduce the problem.

@carnil
Copy link

carnil commented May 29, 2017

This has been assigned CVE-2017-9262

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants