Description
Version: ImageMagick 7.0.6-1 Q16 x86_64
#./magick identify $FILE
When identify SUN file , imagemagick will allocate memory to store the data, here is the critical code:
sun.c , in function ReadSUNImage:
if (AcquireImageColormap(image,image->colors,exception) == MagickFalse) //345
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
colormap.c , in function AcquireImageColormap:
image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1, //119
sizeof(*image->colormap));
memory.c in function AcquireQuantumMemory(const size_t count,const size_t quantum):
extent=count*quantum; //535
return(AcquireMagickMemory(extent));
AcquireMagickMemory is the same to malloc.
image->colors can be controlled by struct _SUNInfo value "sun_info", and sun_info is read from ReadBlobMSBLong(image) as follow, in other words image->colors can be read from input file.
...
sun_info.width=ReadBlobMSBLong(image); //309
sun_info.height=ReadBlobMSBLong(image);
sun_info.depth=ReadBlobMSBLong(image);
sun_info.length=ReadBlobMSBLong(image);
sun_info.type=ReadBlobMSBLong(image);
sun_info.maptype=ReadBlobMSBLong(image);
sun_info.maplength=ReadBlobMSBLong(image);
...
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
...
<policy domain="resource" name="area" value="100MP"/>
<policy domain="resource" name="memory" value="256MiB"/>
...
testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadSUNImage
Credit: ADLab of Venustech