Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version: ImageMagick 7.0.6-1 Q16 x86_64
$magick identify $FILE
When identify CIN file that contains User defined data, imagemagick will allocate memory to store the data in function ReadCINImage in coders\cin.c
Here is the critical code:
profile=BlobToStringInfo((const unsigned char *) NULL,cin.file.user_length); //line 709,
cin.file.user_length can be controlled as follow:
cin.file.user_length=ReadBlobLong(image); //line 458
There is a security checking in the function SetImageExtent, but it is in line 736, so IM can not control the memory usage
status=SetImageExtent(image,image->columns,image->rows,exception); // line 736
Here is my policy.xml to limit memory usage
<policy domain="resource" name="area" value="100MP"/> <policy domain="resource" name="memory" value="100MB"/>
And here is the monitor of real memory usage from IM-starting to IM-ending. 100MB limit can be bypassed:
top -b -n 100 -d 0.01 | grep lt 22223 test 20 0 7063596 836620 9612 R 100.0 10.6 0:00.29 lt-magick 22223 test 20 0 7063596 889868 9612 R 55.2 11.3 0:00.30 lt-magick 22223 test 20 0 7063596 943116 9612 R 100.0 12.0 0:00.32 lt-magick 22223 test 20 0 7063596 996364 9612 R 100.0 12.7 0:00.34 lt-magick 22223 test 20 0 7063596 0.999g 9612 R 56.4 13.3 0:00.35 lt-magick 22223 test 20 0 7063596 1.050g 9612 R 100.0 14.0 0:00.37 lt-magick 22223 test 20 0 7063596 1.099g 9612 R 100.0 14.7 0:00.39 lt-magick 22223 test 20 0 7063596 1.149g 9612 R 100.0 15.3 0:00.41 lt-magick 22223 test 20 0 7063596 1.198g 9612 R 57.2 16.0 0:00.42 lt-magick 22223 test 20 0 7063596 1.249g 9612 R 100.0 16.7 0:00.45 lt-magick 22223 test 20 0 7063596 1.298g 9612 R 56.5 17.3 0:00.46 lt-magick 22223 test 20 0 7063596 1.349g 9612 R 100.0 18.0 0:00.48 lt-magick 22223 test 20 0 7063596 1.397g 9612 R 100.0 18.6 0:00.50 lt-magick 22223 test 20 0 7063596 1.446g 9612 R 57.3 19.3 0:00.51 lt-magick 22223 test 20 0 7063596 1.497g 9612 R 100.0 20.0 0:00.53 lt-magick 22223 test 20 0 7063596 1.546g 9612 R 100.0 20.6 0:00.55 lt-magick 22223 test 20 0 7063596 1.597g 9612 R 100.0 21.3 0:00.57 lt-magick 22223 test 20 0 7063596 1.646g 9612 R 100.0 22.0 0:00.59 lt-magick 22223 test 20 0 7063596 1.696g 9612 R 56.5 22.6 0:00.60 lt-magick 22223 test 20 0 7063596 1.745g 9612 R 100.0 23.3 0:00.62 lt-magick 22223 test 20 0 7063596 1.796g 9612 R 57.0 24.0 0:00.63 lt-magick 22223 test 20 0 7063596 1.845g 9612 R 100.0 24.6 0:00.65 lt-magick 22223 test 20 0 7063596 1.896g 9612 R 100.0 25.3 0:00.67 lt-magick 22223 test 20 0 7063596 1.944g 9612 R 100.0 25.9 0:00.69 lt-magick 22223 test 20 0 7063596 1.993g 9612 R 100.0 26.6 0:00.71 lt-magick 22223 test 20 0 7063596 2.042g 9612 R 57.4 27.2 0:00.72 lt-magick 22223 test 20 0 7063596 2.093g 9612 R 100.0 27.9 0:00.74 lt-magick 22223 test 20 0 7063596 2.144g 9612 R 100.0 28.6 0:00.76 lt-magick 22223 test 20 0 7063596 2.192g 9612 R 100.0 29.3 0:00.78 lt-magick 22223 test 20 0 7063596 2.241g 9612 R 57.0 29.9 0:00.79 lt-magick 22223 test 20 0 7063596 2.292g 9612 R 100.0 30.6 0:00.81 lt-magick 22223 test 20 0 7063596 2.341g 9612 R 100.0 31.2 0:00.83 lt-magick 22223 test 20 0 7063596 2.392g 9612 R 100.0 31.9 0:00.85 lt-magick 22223 test 20 0 7063596 2.442g 9612 R 100.0 32.6 0:00.87 lt-magick 22223 test 20 0 7063596 2.491g 9612 R 100.0 33.2 0:00.89 lt-magick 22223 test 20 0 7063596 2.542g 9612 R 56.2 33.9 0:00.90 lt-magick 22223 test 20 0 7063596 2.591g 9612 R 100.0 34.6 0:00.92 lt-magick 22223 test 20 0 7063596 2.642g 9612 R 100.0 35.2 0:00.94 lt-magick 22223 test 20 0 7063596 2.690g 9612 R 100.0 35.9 0:00.96 lt-magick 22223 test 20 0 7063596 2.741g 9612 R 56.1 36.6 0:00.97 lt-magick 22223 test 20 0 7063596 2.790g 9612 R 100.0 37.2 0:00.99 lt-magick 22223 test 20 0 7063596 2.841g 9612 R 56.6 37.9 0:01.00 lt-magick 22223 test 20 0 7063596 2.892g 9612 R 100.0 38.6 0:01.02 lt-magick 22223 test 20 0 7063596 2.940g 9612 R 100.0 39.2 0:01.05 lt-magick 22223 test 20 0 7063596 2.991g 9612 R 56.8 39.9 0:01.06 lt-magick 22223 test 20 0 7063596 3.040g 9612 R 100.0 40.6 0:01.08 lt-magick 22223 test 20 0 7063596 3.091g 9612 R 56.8 41.2 0:01.09 lt-magick 22223 test 20 0 7063596 3.140g 9612 R 100.0 41.9 0:01.11 lt-magick 22223 test 20 0 7063596 3.190g 9612 R 100.0 42.6 0:01.14 lt-magick 22223 test 20 0 7063596 3.241g 9612 R 56.1 43.2 0:01.15 lt-magick 22223 test 20 0 7063596 3.290g 9612 R 100.0 43.9 0:01.17 lt-magick 22223 test 20 0 3576560 3.051g 10120 R 56.8 40.7 0:01.18 lt-magick
testcase: https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadCINImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered:
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
Sorry, something went wrong.
https://github.com/ImageMagick/ImageMagick/issues/519
fa3cf0b
8e57691
No branches or pull requests
Version: ImageMagick 7.0.6-1 Q16 x86_64
When identify CIN file that contains User defined data, imagemagick will allocate memory to store the data in function ReadCINImage in coders\cin.c
Here is the critical code:
cin.file.user_length can be controlled as follow:
There is a security checking in the function SetImageExtent, but it is in line 736, so IM can not control the memory usage
Here is my policy.xml to limit memory usage
And here is the monitor of real memory usage from IM-starting to IM-ending.
100MB limit can be bypassed:
testcase:
https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadCINImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: