Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory exhaustion in ReadDCMImage #533

Closed
jgj212 opened this issue Jun 29, 2017 · 2 comments
Closed

memory exhaustion in ReadDCMImage #533

jgj212 opened this issue Jun 29, 2017 · 2 comments
Labels
bug

Comments

@jgj212
Copy link
Contributor

jgj212 commented Jun 29, 2017
edited
Loading

Version: ImageMagick 7.0.6-1 Q16 x86_64

$magick identify $FILE

When identify DCM file , imagemagick will allocate memory to store the data.

Here is the critical code:

              if (~length >= 1)
                data=(unsigned char *) AcquireQuantumMemory(length+1,quantum*       // line 3273
                  sizeof(*data));

length can be controlled as follow:

  int
    *bluemap,
    datum,       // line 3010
    *greenmap,
    *graymap,
    *redmap;

    ...

  size_t
    colors,
    height,
    length,
    number_scenes,
    quantum,      // line 3035
    status,
    width;

    ...

    datum=0;  // line 3179
    if (quantum == 4)
      {
        if (group == 0x0002)
          datum=ReadBlobLSBSignedLong(image);
        else
          datum=ReadBlobSignedLong(image);
      }
    else
      if (quantum == 2)
        {
          if (group == 0x0002)
            datum=ReadBlobLSBSignedShort(image);
          else
            datum=ReadBlobSignedShort(image);
        }
    quantum=0;
    length=1;    // line 3196
    if (datum != 0)
      {
        if ((strncmp(implicit_vr,"SS",2) == 0) ||
            (strncmp(implicit_vr,"US",2) == 0))
          quantum=2;
        else
          if ((strncmp(implicit_vr,"UL",2) == 0) ||
              (strncmp(implicit_vr,"SL",2) == 0) ||
              (strncmp(implicit_vr,"FL",2) == 0))
            quantum=4;
          else
            if (strncmp(implicit_vr,"FD",2) != 0)
              quantum=1;
            else
              quantum=8;
        if (datum != ~0)
          length=(size_t) datum/quantum;  // 3213, bomb
        else
          {
            /*
              Sequence and item of undefined length.
            */
            quantum=0;
            length=0;
          }
      }

datum is int which is 32bit and signed type, quantum is size_t which is 64bit and unsigned type.
datum is from file data, it is can be controlled, so can set datum value < 0.
quantum value is a constant as it just can be 1/2/4/8.

So if datum is a negative number, it will be convert to a unsigned 64bit which is very large in line 3213.
And the result "length" can be controlled as very large to cause memory exhaustion .

testcase:
https://github.com/jgj212/poc/blob/master/memory_exhaustion_in_ReadDCMImage

Credit: ADLab of Venustech
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jun 29, 2017
https://github.com/ImageMagick/ImageMagick/issues/533
9493314
dlemstra pushed a commit that referenced this issue Jun 29, 2017
https://github.com/ImageMagick/ImageMagick/issues/533
6bf56fb
@dlemstra dlemstra added the bug label Jun 29, 2017
@carnil
Copy link

carnil commented Aug 2, 2017
edited
Loading

This issue has been assigned CVE-2017-12140.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carnil @jgj212 @dlemstra @mikayla-grace