Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadMNGImage #476

Closed
bestshow opened this issue May 6, 2017 · 3 comments
Closed

memory leak in ReadMNGImage #476

bestshow opened this issue May 6, 2017 · 3 comments

Comments

@bestshow
Copy link

bestshow commented May 6, 2017

on ImageMagick 7.0.5-6 Q16

The ReadMNGImage function in png.c:7706 allows attackers to cause a denial of service (memory leak) via a crafted file.

#identify $FILE

Direct leak of 28 byte(s) in 1 object(s) allocated from:
    #0 0x7f0155121b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x43ecdb in AcquireMagickMemory MagickCore/memory.c:463
    #2 0x43ed2f in AcquireQuantumMemory MagickCore/memory.c:536
    #3 0x721bba in ReadOneMNGImage coders/png.c:5451
    #4 0x72ef72 in ReadMNGImage coders/png.c:7706
    #5 0x7f2551 in ReadImage MagickCore/constitute.c:497
    #6 0x9e3f51 in ReadStream MagickCore/stream.c:1045
    #7 0x7f15ff in PingImage MagickCore/constitute.c:226
    #8 0x7f1bb2 in PingImages MagickCore/constitute.c:327
    #9 0xbb955e in IdentifyImageCommand MagickWand/identify.c:319
    #10 0xc100b2 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x40f839 in MagickMain utilities/magick.c:149
    #12 0x40fa06 in main utilities/magick.c:180
    #13 0x7f0150430b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

28 byte(s) leaked in 1 allocation(s).

testcase: https://github.com/bestshow/p0cs/blob/master/memory-leak-in-ReadMNGImage-png7706.mng
Credit : ADLab of Venustech

@mikayla-grace
Copy link

With the latest IM 7.0.5-6 compiled with afl-clang, we cannot reproduce the problem you posted. We get expected results:

$ identify memory-leak-in-ReadMNGImage-png7706.mng
identify: improper image header `memory-leak-in-ReadMNGImage-png7706.mng' @ error/png.c/ReadOneMNGImage/5380.

@bestshow
Copy link
Author

bestshow commented May 7, 2017

With the latest IM 7.0.5-6 Q16 compiled with afl-clang , and please set CFLAGS="-fsanitize=address" , it will reproduce the problem.

dlemstra added a commit that referenced this issue May 7, 2017
dlemstra added a commit that referenced this issue May 7, 2017
@dlemstra dlemstra closed this as completed May 7, 2017
@carnil
Copy link

carnil commented May 29, 2017

This has been assigned CVE-2017-9261

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants