The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a small crafted mat file.
#identify $FILE
=================================================================
==31506==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 13024 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d713b0613 in AcquireImageInfo image.c:347:28
#3 0x7f7d713b9783 in CloneImageInfo image.c:952:14
#4 0x7f7d717e3aca in ReadMATImage mat.c:896:14
#5 0x7f7d711da788 in ReadImage constitute.c:497:13
#6 0x7f7d715734b9 in ReadStream stream.c:1045:9
#7 0x7f7d711d932f in PingImage constitute.c:226:9
#8 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#9 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#10 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#11 0x514a27 in MagickMain magick.c:149:10
#12 0x514481 in main magick.c:180:10
#13 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
#3 0x7f7d7115c6b4 in AcquirePixelCache cache.c:195:28
#4 0x7f7d7157314c in ReadStream stream.c:1027:20
#5 0x7f7d711d932f in PingImage constitute.c:226:9
#6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#9 0x514a27 in MagickMain magick.c:149:10
#10 0x514481 in main magick.c:180:10
#11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
#3 0x7f7d7115d174 in AcquirePixelCacheNexus cache.c:268:31
#4 0x7f7d7115cbd4 in AcquirePixelCache cache.c:211:26
#5 0x7f7d7157314c in ReadStream stream.c:1027:20
#6 0x7f7d711d932f in PingImage constitute.c:226:9
#7 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#8 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#9 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#10 0x514a27 in MagickMain magick.c:149:10
#11 0x514481 in main magick.c:180:10
#12 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d71553465 in NewSplayTree splay-tree.c:1106:32
#3 0x7f7d71553094 in CloneSplayTree splay-tree.c:359:14
#4 0x7f7d71430975 in CloneImageOptions option.c:1868:27
#5 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
#6 0x7f7d717e3aca in ReadMATImage mat.c:896:14
#7 0x7f7d711da788 in ReadImage constitute.c:497:13
#8 0x7f7d715734b9 in ReadStream stream.c:1045:9
#9 0x7f7d711d932f in PingImage constitute.c:226:9
#10 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#11 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#12 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#13 0x514a27 in MagickMain magick.c:149:10
#14 0x514481 in main magick.c:180:10
#15 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f7d713ffe12 in AcquireAlignedMemory memory.c:261:7
#2 0x7f7d7115d07e in AcquirePixelCacheNexus cache.c:264:29
#3 0x7f7d7115cbd4 in AcquirePixelCache cache.c:211:26
#4 0x7f7d7157314c in ReadStream stream.c:1027:20
#5 0x7f7d711d932f in PingImage constitute.c:226:9
#6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#9 0x514a27 in MagickMain magick.c:149:10
#10 0x514481 in main magick.c:180:10
#11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f7d7153d748 in AcquireSemaphoreMemory semaphore.c:154:7
#2 0x7f7d7153cfbc in AcquireSemaphoreInfo semaphore.c:200:36
#3 0x7f7d7115ce93 in AcquirePixelCache cache.c:226:25
#4 0x7f7d7157314c in ReadStream stream.c:1027:20
#5 0x7f7d711d932f in PingImage constitute.c:226:9
#6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#9 0x514a27 in MagickMain magick.c:149:10
#10 0x514481 in main magick.c:180:10
#11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f7d7153d748 in AcquireSemaphoreMemory semaphore.c:154:7
#2 0x7f7d7153cfbc in AcquireSemaphoreInfo semaphore.c:200:36
#3 0x7f7d715537e6 in NewSplayTree splay-tree.c:1119:25
#4 0x7f7d71553094 in CloneSplayTree splay-tree.c:359:14
#5 0x7f7d71430975 in CloneImageOptions option.c:1868:27
#6 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
#7 0x7f7d717e3aca in ReadMATImage mat.c:896:14
#8 0x7f7d711da788 in ReadImage constitute.c:497:13
#9 0x7f7d715734b9 in ReadStream stream.c:1045:9
#10 0x7f7d711d932f in PingImage constitute.c:226:9
#11 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#12 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#13 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#14 0x514a27 in MagickMain magick.c:149:10
#15 0x514481 in main magick.c:180:10
#16 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f7d7153d748 in AcquireSemaphoreMemory semaphore.c:154:7
#2 0x7f7d7153cfbc in AcquireSemaphoreInfo semaphore.c:200:36
#3 0x7f7d7115cf22 in AcquirePixelCache cache.c:228:30
#4 0x7f7d7157314c in ReadStream stream.c:1027:20
#5 0x7f7d711d932f in PingImage constitute.c:226:9
#6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#9 0x514a27 in MagickMain magick.c:149:10
#10 0x514481 in main magick.c:180:10
#11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 52 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
#3 0x7f7d71588bb3 in ConstantString string.c:701:26
#4 0x7f7d71553286 in CloneSplayTree splay-tree.c:372:7
#5 0x7f7d71430975 in CloneImageOptions option.c:1868:27
#6 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
#7 0x7f7d717e3aca in ReadMATImage mat.c:896:14
#8 0x7f7d711da788 in ReadImage constitute.c:497:13
#9 0x7f7d715734b9 in ReadStream stream.c:1045:9
#10 0x7f7d711d932f in PingImage constitute.c:226:9
#11 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#12 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#13 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#14 0x514a27 in MagickMain magick.c:149:10
#15 0x514481 in main magick.c:180:10
#16 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d715523f0 in AddValueToSplayTree splay-tree.c:188:21
#3 0x7f7d7155329c in CloneSplayTree splay-tree.c:371:12
#4 0x7f7d71430975 in CloneImageOptions option.c:1868:27
#5 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
#6 0x7f7d717e3aca in ReadMATImage mat.c:896:14
#7 0x7f7d711da788 in ReadImage constitute.c:497:13
#8 0x7f7d715734b9 in ReadStream stream.c:1045:9
#9 0x7f7d711d932f in PingImage constitute.c:226:9
#10 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#11 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#12 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#13 0x514a27 in MagickMain magick.c:149:10
#14 0x514481 in main magick.c:180:10
#15 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
#2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
#3 0x7f7d71588bb3 in ConstantString string.c:701:26
#4 0x7f7d71553201 in CloneSplayTree splay-tree.c:371:43
#5 0x7f7d71430975 in CloneImageOptions option.c:1868:27
#6 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
#7 0x7f7d717e3aca in ReadMATImage mat.c:896:14
#8 0x7f7d711da788 in ReadImage constitute.c:497:13
#9 0x7f7d715734b9 in ReadStream stream.c:1045:9
#10 0x7f7d711d932f in PingImage constitute.c:226:9
#11 0x7f7d711d9ad3 in PingImages constitute.c:327:10
#12 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
#13 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
#14 0x514a27 in MagickMain magick.c:149:10
#15 0x514481 in main magick.c:180:10
#16 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287
SUMMARY: AddressSanitizer: 22645 byte(s) leaked in 11 allocation(s).
Version: ImageMagick 7.0.6-1 Q16 x86_64
The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a small crafted mat file.
testcase:
https://github.com/jgj212/poc/blob/master/leak-ReadMATImage
Credit: ADLab of Venustech
The text was updated successfully, but these errors were encountered: