Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version: ImageMagick 7.0.6-1 Q16 x86_64
$magick identify $FILE
When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c
Here is the critical code:
profile=BlobToStringInfo((const unsigned char *) NULL, //line 1109 dpx.file.user_size-sizeof(dpx.user.id));
dpx.file.user_size can be controlled as follow:
dpx.file.user_size=ReadBlobLong(image); //line 739
There is a security checking in the function SetImageExtent, but it is in line 1130, so IM can not control the memory usage
status=SetImageExtent(image,image->columns,image->rows,exception); // line 1130
Here is my policy.xml to limit memory usage
<policy domain="resource" name="area" value="100MP"/> <policy domain="resource" name="memory" value="100MB"/>
And here is the monitor of real memory usage from IM-starting to IM-ending. 100MB limit can be bypassed:
top -n 100000 -d 0.01 | grep lt 547 test 20 0 7178776 54480 12108 R 75.8 0.7 0:00.01 lt-magick 547 test 20 0 7178776 285904 12108 R 100.0 3.5 0:00.03 lt-magick 547 test 20 0 7178776 406736 12108 R 67.4 5.0 0:00.04 lt-magick 547 test 20 0 7178776 517328 12108 R 100.0 6.3 0:00.06 lt-magick 547 test 20 0 7178776 632016 12108 R 100.0 7.7 0:00.08 lt-magick 547 test 20 0 7178776 869584 12108 R 100.0 10.6 0:00.10 lt-magick 547 test 20 0 7178776 980176 12108 R 100.0 12.0 0:00.12 lt-magick 547 test 20 0 7178776 1.046g 12108 R 72.5 13.4 0:00.13 lt-magick 547 test 20 0 7178776 1.157g 12108 R 73.4 14.8 0:00.14 lt-magick 547 test 20 0 7178776 1.263g 12108 R 100.0 16.2 0:00.16 lt-magick 547 test 20 0 7178776 1.374g 12108 R 73.2 17.6 0:00.17 lt-magick 547 test 20 0 7178776 1.484g 12108 R 78.5 19.0 0:00.18 lt-magick 547 test 20 0 7178776 1.591g 12108 R 100.0 20.4 0:00.20 lt-magick 547 test 20 0 7178776 1.700g 12108 R 100.0 21.8 0:00.22 lt-magick 547 test 20 0 7178776 1.933g 12108 R 100.0 24.8 0:00.24 lt-magick 547 test 20 0 7178776 2.030g 12108 R 74.7 26.0 0:00.25 lt-magick 547 test 20 0 7178776 2.128g 12108 R 100.0 27.3 0:00.27 lt-magick 547 test 20 0 7178776 2.234g 12108 R 77.0 28.6 0:00.28 lt-magick 547 test 20 0 7178776 2.343g 12108 R 100.0 30.1 0:00.30 lt-magick 547 test 20 0 7178776 2.458g 12108 R 72.8 31.5 0:00.31 lt-magick 547 test 20 0 7178776 2.554g 12108 R 73.0 32.8 0:00.32 lt-magick 547 test 20 0 7178776 2.613g 12108 R 100.0 33.5 0:00.34 lt-magick 547 test 20 0 7178776 2.829g 12108 R 100.0 36.3 0:00.36 lt-magick 547 test 20 0 7178776 2.943g 12108 R 100.0 37.7 0:00.38 lt-magick 547 test 20 0 7178776 3.050g 12108 R 73.0 39.1 0:00.39 lt-magick 547 test 20 0 7178776 3.154g 12108 R 78.1 40.4 0:00.40 lt-magick 547 test 20 0 7178776 3.267g 12108 R 100.0 41.9 0:00.42 lt-magick 547 test 20 0 7178776 3.370g 12108 R 72.0 43.2 0:00.43 lt-magick
testcase: https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadDPXImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered:
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
Sorry, something went wrong.
https://github.com/ImageMagick/ImageMagick/issues/523
be531ea
961eb7c
No branches or pull requests
Version: ImageMagick 7.0.6-1 Q16 x86_64
When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c
Here is the critical code:
dpx.file.user_size can be controlled as follow:
There is a security checking in the function SetImageExtent, but it is in line 1130, so IM can not control the memory usage
Here is my policy.xml to limit memory usage
And here is the monitor of real memory usage from IM-starting to IM-ending.
100MB limit can be bypassed:
testcase:
https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadDPXImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: