You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Version: ImageMagick 7.0.6-1 Q16 x86_64 #./magick identify $FILE
When identify MPC file , imagemagick will allocate memory to store the data, here is the critical code:
(Mpc.c , in function ReadMPCImage)
The “image->colors" can be obtained from local value “options” as follow, and the options is controlled by image , in other words the “image->colors" can be read from input file. image->colors=StringToUnsignedLong(options); //402
The function StringToUnsignedLong convert string to unsigned long type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
Version: ImageMagick 7.0.6-1 Q16 x86_64
#./magick identify $FILE
When identify MPC file , imagemagick will allocate memory to store the data, here is the critical code:
(Mpc.c , in function ReadMPCImage)
The “image->colors" can be obtained from local value “options” as follow, and the options is controlled by image , in other words the “image->colors" can be read from input file.
image->colors=StringToUnsignedLong(options); //402
The function StringToUnsignedLong convert string to unsigned long type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadMPCImage
Credit ADLab of Venustech
The text was updated successfully, but these errors were encountered: