Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in ReadMPCImage #546

Closed
bestshow opened this issue Jul 6, 2017 · 3 comments

Comments

Projects
None yet
5 participants
@bestshow
Copy link

commented Jul 6, 2017

Version: ImageMagick 7.0.6-1 Q16 x86_64
#./magick identify $FILE
When identify MPC file , imagemagick will allocate memory to store the data, here is the critical code:
(Mpc.c , in function ReadMPCImage)

 image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1,  //856
          sizeof(*image->colormap));

The “image->colors" can be obtained from local value “options” as follow, and the options is controlled by image , in other words the “image->colors" can be read from input file.
image->colors=StringToUnsignedLong(options); //402

The function StringToUnsignedLong convert string to unsigned long type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.

...
<policy domain="resource" name="area" value="100MP"/>
<policy domain="resource" name="memory" value="256MiB”/>
...

testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadMPCImage
Credit ADLab of Venustech

dlemstra pushed a commit that referenced this issue Jul 6, 2017

Cristy
@mikayla-grace

This comment has been minimized.

Copy link

commented Jul 6, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Jul 6, 2017

@dlemstra dlemstra added the bug label Jul 6, 2017

@dlemstra dlemstra closed this Jul 6, 2017

@bastien-roucaries

This comment has been minimized.

Copy link

commented Jul 9, 2017

@nohmask

This comment has been minimized.

Copy link

commented Sep 8, 2017

This was assigned CVE-2017-12430.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.