Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version: ImageMagick 7.0.6-1 Q16 x86_64
$magick identify $FILE
When identify EPT file , imagemagick will allocate memory to store the data.
Here is the critical code:
ept_info.postscript=(unsigned char *) AcquireQuantumMemory( //line 204 ept_info.postscript_length+1,sizeof(*ept_info.postscript)); ept_info.tiff=(unsigned char *) AcquireQuantumMemory(ept_info.tiff_length+1, //line 210 sizeof(*ept_info.tiff));
ept_info.postscript_length and ept_info.tiff_length can be controlled as follow:
ept_info.postscript_length=ReadBlobLSBLong(image); //198 ept_info.tiff_length=ReadBlobLSBLong(image); //202
There is a security checking in the function SetImageExtent, but it is not used in this function, so IM can not control the memory usage
Here is my policy.xml to limit memory usage
<policy domain="resource" name="area" value="100MP"/> <policy domain="resource" name="memory" value="100MB"/>
And here is the monitor of real memory usage from IM-starting to IM-ending. 100MB limit can be bypassed:
top -n 100000 -d 0.01 | grep lt 927 test 20 0 128584 5872 4644 D 77.9 0.1 0:00.01 lt-magick 927 test 20 0 4333220 181892 11992 R 100.0 2.2 0:00.03 lt-magick 927 test 20 0 4333220 319108 11992 R 64.1 3.9 0:00.04 lt-magick 927 test 20 0 4333220 468612 11992 R 72.0 5.7 0:00.05 lt-magick 927 test 20 0 4333220 665220 11992 R 100.0 8.1 0:00.07 lt-magick 927 test 20 0 4333220 816772 11992 R 100.0 10.0 0:00.09 lt-magick 927 test 20 0 4333220 962180 11992 R 76.1 11.8 0:00.10 lt-magick 927 test 20 0 4333220 1.064g 11992 R 72.8 13.6 0:00.11 lt-magick 927 test 20 0 4333220 1.213g 11992 R 100.0 15.6 0:00.13 lt-magick 927 test 20 0 4333220 1.365g 11992 R 67.9 17.5 0:00.14 lt-magick 927 test 20 0 4333220 1.507g 11992 R 100.0 19.3 0:00.16 lt-magick 927 test 20 0 4333220 1.656g 11992 R 75.9 21.2 0:00.17 lt-magick 927 test 20 0 4333220 1.797g 11992 R 100.0 23.0 0:00.19 lt-magick 927 test 20 0 4333220 1.943g 11992 R 68.9 24.9 0:00.20 lt-magick 927 test 20 0 4333220 2.093g 11992 R 74.2 26.9 0:00.21 lt-magick 927 test 20 0 4333220 2.228g 11992 R 75.9 28.6 0:00.22 lt-magick 927 test 20 0 4333220 2.369g 11992 R 100.0 30.4 0:00.24 lt-magick 927 test 20 0 4333220 2.490g 11992 R 76.0 31.9 0:00.25 lt-magick 927 test 20 0 4333220 2.615g 11992 R 69.7 33.5 0:00.26 lt-magick 927 test 20 0 4333220 2.761g 11992 R 100.0 35.4 0:00.28 lt-magick 927 test 20 0 4333220 2.908g 11992 R 100.0 37.3 0:00.30 lt-magick 927 test 20 0 4333220 3.201g 11992 R 72.9 41.1 0:00.31 lt-magick 927 test 20 0 4333220 3.341g 11992 R 100.0 42.9 0:00.33 lt-magick 927 test 20 0 4333220 3.484g 11992 R 100.0 44.7 0:00.35 lt-magick 927 test 20 0 4333220 3.634g 11992 R 68.0 46.6 0:00.36 lt-magick 927 test 20 0 4333220 3.798g 11992 R 65.6 48.7 0:00.37 lt-magick 927 test 20 0 4333220 3.947g 11992 R 100.0 50.6 0:00.39 lt-magick 927 test 20 0 8527528 4.072g 11992 R 100.0 52.2 0:00.41 lt-magick 927 test 20 0 8527528 4.213g 11992 R 72.9 54.0 0:00.42 lt-magick 927 test 20 0 8527528 4.361g 11992 R 70.8 55.9 0:00.43 lt-magick 927 test 20 0 8527528 4.517g 11992 R 65.1 57.9 0:00.44 lt-magick 927 test 20 0 8527528 4.662g 11992 R 100.0 59.8 0:00.46 lt-magick 927 test 20 0 8527528 4.800g 11992 R 73.1 61.6 0:00.47 lt-magick 927 test 20 0 8527528 4.953g 11992 R 100.0 63.5 0:00.49 lt-magick 927 test 20 0 8527528 5.099g 11992 R 72.1 65.4 0:00.50 lt-magick 927 test 20 0 8527528 5.244g 11992 R 100.0 67.3 0:00.52 lt-magick 927 test 20 0 8527528 5.392g 11992 R 73.1 69.2 0:00.53 lt-magick 927 test 20 0 8527528 5.562g 11992 R 100.0 71.3 0:00.55 lt-magick 927 test 20 0 8527528 5.707g 11992 R 69.8 73.2 0:00.56 lt-magick 927 test 20 0 8527528 5.863g 11992 R 70.7 75.2 0:00.57 lt-magick 927 test 20 0 8527528 5.996g 11992 R 100.0 76.9 0:00.59 lt-magick 927 test 20 0 8527528 6.074g 11992 R 74.4 77.9 0:00.60 lt-magick 927 test 20 0 8527528 6.132g 11992 R 73.5 78.7 0:00.61 lt-magick 927 test 20 0 8527528 6.201g 11992 R 75.5 79.5 0:00.62 lt-magick 927 test 20 0 8527528 6.298g 11992 R 100.0 80.8 0:00.64 lt-magick 927 test 20 0 8527528 6.400g 11992 R 74.2 82.1 0:00.65 lt-magick 927 test 20 0 8527528 6.464g 11992 R 100.0 82.9 0:00.67 lt-magick 927 test 20 0 8527528 6.525g 11992 R 75.0 83.7 0:00.68 lt-magick 927 test 20 0 8527528 6.584g 11992 R 75.3 84.4 0:00.69 lt-magick 927 test 20 0 8527528 6.646g 11992 R 100.0 85.2 0:00.71 lt-magick 927 test 20 0 8527528 6.709g 11992 R 73.8 86.0 0:00.72 lt-magick 927 test 20 0 8527528 6.763g 11992 R 76.7 86.7 0:00.73 lt-magick 927 test 20 0 8527528 6.816g 11992 R 100.0 87.4 0:00.75 lt-magick 927 test 20 0 8527528 6.847g 11992 R 75.2 87.8 0:00.76 lt-magick 927 test 20 0 8527528 6.871g 11992 R 75.7 88.1 0:00.77 lt-magick 927 test 20 0 8527528 6.892g 11992 R 100.0 88.4 0:00.79 lt-magick 927 test 20 0 8527528 6.917g 11992 R 77.4 88.7 0:00.80 lt-magick 927 test 20 0 8527528 6.941g 11992 R 78.3 89.0 0:00.81 lt-magick 927 test 20 0 8527528 6.953g 11992 R 100.0 89.2 0:00.83 lt-magick 927 test 20 0 8527528 6.981g 11992 R 68.1 89.5 0:00.84 lt-magick 927 test 20 0 8527528 7.006g 11992 R 77.7 89.9 0:00.85 lt-magick 927 test 20 0 8527528 7.031g 11992 R 100.0 90.2 0:00.87 lt-magick
testcase: https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadEPTImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered:
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
Sorry, something went wrong.
https://github.com/ImageMagick/ImageMagick/issues/524
a14e7f1
eee1829
No branches or pull requests
Version: ImageMagick 7.0.6-1 Q16 x86_64
When identify EPT file , imagemagick will allocate memory to store the data.
Here is the critical code:
ept_info.postscript_length and ept_info.tiff_length can be controlled as follow:
There is a security checking in the function SetImageExtent, but it is not used in this function, so IM can not control the memory usage
Here is my policy.xml to limit memory usage
And here is the monitor of real memory usage from IM-starting to IM-ending.
100MB limit can be bypassed:
testcase:
https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadEPTImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: