Closed
Description
Version: ImageMagick 7.0.6-1 Q16 x86_64
#./magick identify $FILE
When identify MPC file , imagemagick will allocate memory to store the data, here is the critical code:
(Mpc.c , in function ReadMPCImage)
image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1, //856
sizeof(*image->colormap));
The “image->colors" can be obtained from local value “options” as follow, and the options is controlled by image , in other words the “image->colors" can be read from input file.
image->colors=StringToUnsignedLong(options); //402
The function StringToUnsignedLong convert string to unsigned long type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
...
<policy domain="resource" name="area" value="100MP"/>
<policy domain="resource" name="memory" value="256MiB”/>
...
testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadMPCImage
Credit ADLab of Venustech