memory exhaustion in ReadMPCImage #546
Labels
Comments
dlemstra
pushed a commit
that referenced
this issue
Jul 6, 2017
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
This fixed by adding f19ccf2#diff-5c034a4e58a115889f4296d6ff79d84e |
|
This was assigned CVE-2017-12430. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version: ImageMagick 7.0.6-1 Q16 x86_64
#./magick identify $FILEWhen identify MPC file , imagemagick will allocate memory to store the data, here is the critical code:
(Mpc.c , in function ReadMPCImage)
The “image->colors" can be obtained from local value “options” as follow, and the options is controlled by image , in other words the “image->colors" can be read from input file.
image->colors=StringToUnsignedLong(options); //402The function StringToUnsignedLong convert string to unsigned long type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadMPCImage
Credit ADLab of Venustech
The text was updated successfully, but these errors were encountered: