Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in ReadCINImage #519

Closed
jgj212 opened this issue Jun 23, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@jgj212
Copy link
Contributor

commented Jun 23, 2017

Version: ImageMagick 7.0.6-1 Q16 x86_64

$magick identify $FILE

When identify CIN file that contains User defined data, imagemagick will allocate memory to store the data in function ReadCINImage in coders\cin.c

Here is the critical code:

profile=BlobToStringInfo((const unsigned char *) NULL,cin.file.user_length);  //line 709,  

cin.file.user_length can be controlled as follow:

cin.file.user_length=ReadBlobLong(image);  //line 458

There is a security checking in the function SetImageExtent, but it is in line 736, so IM can not control the memory usage

status=SetImageExtent(image,image->columns,image->rows,exception); // line 736

Here is my policy.xml to limit memory usage

<policy domain="resource" name="area" value="100MP"/>
<policy domain="resource" name="memory" value="100MB"/>

And here is the monitor of real memory usage from IM-starting to IM-ending.
100MB limit can be bypassed:

top -b -n 100  -d  0.01 | grep lt
22223 test      20   0 7063596 836620   9612 R 100.0 10.6   0:00.29 lt-magick
22223 test      20   0 7063596 889868   9612 R  55.2 11.3   0:00.30 lt-magick
22223 test      20   0 7063596 943116   9612 R 100.0 12.0   0:00.32 lt-magick
22223 test      20   0 7063596 996364   9612 R 100.0 12.7   0:00.34 lt-magick
22223 test      20   0 7063596 0.999g   9612 R  56.4 13.3   0:00.35 lt-magick
22223 test      20   0 7063596 1.050g   9612 R 100.0 14.0   0:00.37 lt-magick
22223 test      20   0 7063596 1.099g   9612 R 100.0 14.7   0:00.39 lt-magick
22223 test      20   0 7063596 1.149g   9612 R 100.0 15.3   0:00.41 lt-magick
22223 test      20   0 7063596 1.198g   9612 R  57.2 16.0   0:00.42 lt-magick
22223 test      20   0 7063596 1.249g   9612 R 100.0 16.7   0:00.45 lt-magick
22223 test      20   0 7063596 1.298g   9612 R  56.5 17.3   0:00.46 lt-magick
22223 test      20   0 7063596 1.349g   9612 R 100.0 18.0   0:00.48 lt-magick
22223 test      20   0 7063596 1.397g   9612 R 100.0 18.6   0:00.50 lt-magick
22223 test      20   0 7063596 1.446g   9612 R  57.3 19.3   0:00.51 lt-magick
22223 test      20   0 7063596 1.497g   9612 R 100.0 20.0   0:00.53 lt-magick
22223 test      20   0 7063596 1.546g   9612 R 100.0 20.6   0:00.55 lt-magick
22223 test      20   0 7063596 1.597g   9612 R 100.0 21.3   0:00.57 lt-magick
22223 test      20   0 7063596 1.646g   9612 R 100.0 22.0   0:00.59 lt-magick
22223 test      20   0 7063596 1.696g   9612 R  56.5 22.6   0:00.60 lt-magick
22223 test      20   0 7063596 1.745g   9612 R 100.0 23.3   0:00.62 lt-magick
22223 test      20   0 7063596 1.796g   9612 R  57.0 24.0   0:00.63 lt-magick
22223 test      20   0 7063596 1.845g   9612 R 100.0 24.6   0:00.65 lt-magick
22223 test      20   0 7063596 1.896g   9612 R 100.0 25.3   0:00.67 lt-magick
22223 test      20   0 7063596 1.944g   9612 R 100.0 25.9   0:00.69 lt-magick
22223 test      20   0 7063596 1.993g   9612 R 100.0 26.6   0:00.71 lt-magick
22223 test      20   0 7063596 2.042g   9612 R  57.4 27.2   0:00.72 lt-magick
22223 test      20   0 7063596 2.093g   9612 R 100.0 27.9   0:00.74 lt-magick
22223 test      20   0 7063596 2.144g   9612 R 100.0 28.6   0:00.76 lt-magick
22223 test      20   0 7063596 2.192g   9612 R 100.0 29.3   0:00.78 lt-magick
22223 test      20   0 7063596 2.241g   9612 R  57.0 29.9   0:00.79 lt-magick
22223 test      20   0 7063596 2.292g   9612 R 100.0 30.6   0:00.81 lt-magick
22223 test      20   0 7063596 2.341g   9612 R 100.0 31.2   0:00.83 lt-magick
22223 test      20   0 7063596 2.392g   9612 R 100.0 31.9   0:00.85 lt-magick
22223 test      20   0 7063596 2.442g   9612 R 100.0 32.6   0:00.87 lt-magick
22223 test      20   0 7063596 2.491g   9612 R 100.0 33.2   0:00.89 lt-magick
22223 test      20   0 7063596 2.542g   9612 R  56.2 33.9   0:00.90 lt-magick
22223 test      20   0 7063596 2.591g   9612 R 100.0 34.6   0:00.92 lt-magick
22223 test      20   0 7063596 2.642g   9612 R 100.0 35.2   0:00.94 lt-magick
22223 test      20   0 7063596 2.690g   9612 R 100.0 35.9   0:00.96 lt-magick
22223 test      20   0 7063596 2.741g   9612 R  56.1 36.6   0:00.97 lt-magick
22223 test      20   0 7063596 2.790g   9612 R 100.0 37.2   0:00.99 lt-magick
22223 test      20   0 7063596 2.841g   9612 R  56.6 37.9   0:01.00 lt-magick
22223 test      20   0 7063596 2.892g   9612 R 100.0 38.6   0:01.02 lt-magick
22223 test      20   0 7063596 2.940g   9612 R 100.0 39.2   0:01.05 lt-magick
22223 test      20   0 7063596 2.991g   9612 R  56.8 39.9   0:01.06 lt-magick
22223 test      20   0 7063596 3.040g   9612 R 100.0 40.6   0:01.08 lt-magick
22223 test      20   0 7063596 3.091g   9612 R  56.8 41.2   0:01.09 lt-magick
22223 test      20   0 7063596 3.140g   9612 R 100.0 41.9   0:01.11 lt-magick
22223 test      20   0 7063596 3.190g   9612 R 100.0 42.6   0:01.14 lt-magick
22223 test      20   0 7063596 3.241g   9612 R  56.1 43.2   0:01.15 lt-magick
22223 test      20   0 7063596 3.290g   9612 R 100.0 43.9   0:01.17 lt-magick
22223 test      20   0 3576560 3.051g  10120 R  56.8 40.7   0:01.18 lt-magick

testcase:
https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadCINImage

Credit: ADLab of Venustech

@mikayla-grace

This comment has been minimized.

Copy link

commented Jun 23, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jun 23, 2017

Cristy

dlemstra pushed a commit that referenced this issue Jun 23, 2017

Cristy

@dlemstra dlemstra added the bug label Jun 23, 2017

@dlemstra dlemstra closed this Jun 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.