Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadMATImage in mat.c #525

Closed
jgj212 opened this issue Jun 24, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@jgj212
Copy link
Contributor

commented Jun 24, 2017

Version: ImageMagick 7.0.6-1 Q16 x86_64

The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a small crafted mat file.

#identify $FILE

=================================================================
==31506==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d713b0613 in AcquireImageInfo image.c:347:28
    #3 0x7f7d713b9783 in CloneImageInfo image.c:952:14
    #4 0x7f7d717e3aca in ReadMATImage mat.c:896:14
    #5 0x7f7d711da788 in ReadImage constitute.c:497:13
    #6 0x7f7d715734b9 in ReadStream stream.c:1045:9
    #7 0x7f7d711d932f in PingImage constitute.c:226:9
    #8 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #9 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #10 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #11 0x514a27 in MagickMain magick.c:149:10
    #12 0x514481 in main magick.c:180:10
    #13 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
    #3 0x7f7d7115c6b4 in AcquirePixelCache cache.c:195:28
    #4 0x7f7d7157314c in ReadStream stream.c:1027:20
    #5 0x7f7d711d932f in PingImage constitute.c:226:9
    #6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a27 in MagickMain magick.c:149:10
    #10 0x514481 in main magick.c:180:10
    #11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
    #3 0x7f7d7115d174 in AcquirePixelCacheNexus cache.c:268:31
    #4 0x7f7d7115cbd4 in AcquirePixelCache cache.c:211:26
    #5 0x7f7d7157314c in ReadStream stream.c:1027:20
    #6 0x7f7d711d932f in PingImage constitute.c:226:9
    #7 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #8 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #9 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #10 0x514a27 in MagickMain magick.c:149:10
    #11 0x514481 in main magick.c:180:10
    #12 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d71553465 in NewSplayTree splay-tree.c:1106:32
    #3 0x7f7d71553094 in CloneSplayTree splay-tree.c:359:14
    #4 0x7f7d71430975 in CloneImageOptions option.c:1868:27
    #5 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
    #6 0x7f7d717e3aca in ReadMATImage mat.c:896:14
    #7 0x7f7d711da788 in ReadImage constitute.c:497:13
    #8 0x7f7d715734b9 in ReadStream stream.c:1045:9
    #9 0x7f7d711d932f in PingImage constitute.c:226:9
    #10 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #11 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #12 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a27 in MagickMain magick.c:149:10
    #14 0x514481 in main magick.c:180:10
    #15 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f7d713ffe12 in AcquireAlignedMemory memory.c:261:7
    #2 0x7f7d7115d07e in AcquirePixelCacheNexus cache.c:264:29
    #3 0x7f7d7115cbd4 in AcquirePixelCache cache.c:211:26
    #4 0x7f7d7157314c in ReadStream stream.c:1027:20
    #5 0x7f7d711d932f in PingImage constitute.c:226:9
    #6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a27 in MagickMain magick.c:149:10
    #10 0x514481 in main magick.c:180:10
    #11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f7d7153d748 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f7d7153cfbc in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f7d7115ce93 in AcquirePixelCache cache.c:226:25
    #4 0x7f7d7157314c in ReadStream stream.c:1027:20
    #5 0x7f7d711d932f in PingImage constitute.c:226:9
    #6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a27 in MagickMain magick.c:149:10
    #10 0x514481 in main magick.c:180:10
    #11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f7d7153d748 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f7d7153cfbc in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f7d715537e6 in NewSplayTree splay-tree.c:1119:25
    #4 0x7f7d71553094 in CloneSplayTree splay-tree.c:359:14
    #5 0x7f7d71430975 in CloneImageOptions option.c:1868:27
    #6 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
    #7 0x7f7d717e3aca in ReadMATImage mat.c:896:14
    #8 0x7f7d711da788 in ReadImage constitute.c:497:13
    #9 0x7f7d715734b9 in ReadStream stream.c:1045:9
    #10 0x7f7d711d932f in PingImage constitute.c:226:9
    #11 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #12 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #13 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a27 in MagickMain magick.c:149:10
    #15 0x514481 in main magick.c:180:10
    #16 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa05 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f7d7153d748 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f7d7153cfbc in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f7d7115cf22 in AcquirePixelCache cache.c:228:30
    #4 0x7f7d7157314c in ReadStream stream.c:1027:20
    #5 0x7f7d711d932f in PingImage constitute.c:226:9
    #6 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #7 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #8 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a27 in MagickMain magick.c:149:10
    #10 0x514481 in main magick.c:180:10
    #11 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 52 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
    #3 0x7f7d71588bb3 in ConstantString string.c:701:26
    #4 0x7f7d71553286 in CloneSplayTree splay-tree.c:372:7
    #5 0x7f7d71430975 in CloneImageOptions option.c:1868:27
    #6 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
    #7 0x7f7d717e3aca in ReadMATImage mat.c:896:14
    #8 0x7f7d711da788 in ReadImage constitute.c:497:13
    #9 0x7f7d715734b9 in ReadStream stream.c:1045:9
    #10 0x7f7d711d932f in PingImage constitute.c:226:9
    #11 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #12 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #13 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a27 in MagickMain magick.c:149:10
    #15 0x514481 in main magick.c:180:10
    #16 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d715523f0 in AddValueToSplayTree splay-tree.c:188:21
    #3 0x7f7d7155329c in CloneSplayTree splay-tree.c:371:12
    #4 0x7f7d71430975 in CloneImageOptions option.c:1868:27
    #5 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
    #6 0x7f7d717e3aca in ReadMATImage mat.c:896:14
    #7 0x7f7d711da788 in ReadImage constitute.c:497:13
    #8 0x7f7d715734b9 in ReadStream stream.c:1045:9
    #9 0x7f7d711d932f in PingImage constitute.c:226:9
    #10 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #11 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #12 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a27 in MagickMain magick.c:149:10
    #14 0x514481 in main magick.c:180:10
    #15 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x4deea6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f7d713fffd6 in AcquireMagickMemory memory.c:463:10
    #2 0x7f7d71400038 in AcquireQuantumMemory memory.c:536:10
    #3 0x7f7d71588bb3 in ConstantString string.c:701:26
    #4 0x7f7d71553201 in CloneSplayTree splay-tree.c:371:43
    #5 0x7f7d71430975 in CloneImageOptions option.c:1868:27
    #6 0x7f7d713bb034 in CloneImageInfo image.c:1007:10
    #7 0x7f7d717e3aca in ReadMATImage mat.c:896:14
    #8 0x7f7d711da788 in ReadImage constitute.c:497:13
    #9 0x7f7d715734b9 in ReadStream stream.c:1045:9
    #10 0x7f7d711d932f in PingImage constitute.c:226:9
    #11 0x7f7d711d9ad3 in PingImages constitute.c:327:10
    #12 0x7f7d7091f006 in IdentifyImageCommand identify.c:319:18
    #13 0x7f7d709dccdf in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a27 in MagickMain magick.c:149:10
    #15 0x514481 in main magick.c:180:10
    #16 0x7f7d6b21bf44 in __libc_start_main libc-start.c:287

SUMMARY: AddressSanitizer: 22645 byte(s) leaked in 11 allocation(s).

testcase:
https://github.com/jgj212/poc/blob/master/leak-ReadMATImage

Credit: ADLab of Venustech

@mikayla-grace

This comment has been minimized.

Copy link

commented Jun 24, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jun 24, 2017

Cristy

@dlemstra dlemstra added the bug label Jun 24, 2017

@dlemstra dlemstra closed this Jun 24, 2017

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 14, 2017

Where is v6 patch ?

@dlemstra

This comment has been minimized.

Copy link
Member

commented Jul 14, 2017

Here: bd428b8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.