Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in ReadOneJNGImage in png.c #549

Closed
jgj212 opened this issue Jul 8, 2017 · 2 comments
Closed

memory exhaustion in ReadOneJNGImage in png.c #549

jgj212 opened this issue Jul 8, 2017 · 2 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented Jul 8, 2017

Version: ImageMagick 7.0.6-1 Q16 x86_64

$magick identify $FILE

When identify JNG file that contains chunk data, imagemagick will allocate memory to store the chunk data in function ReadOneJNGImage

Here is the critical code:

    if (length != 0)
      {
        chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk));   //length can be controlled

        if (chunk == (unsigned char *) NULL)
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");

        for (i=0; i < (ssize_t) length; i++)
        {
          int
            c;

          c=ReadBlobByte(image);
          if (c == EOF)
            break;
          chunk[i]=(unsigned char) c;
        }

        p=chunk;
      }

length can be controlled as follow:

    length=ReadBlobMSBLong(image);   //length is from file data
    count=(unsigned int) ReadBlob(image,4,(unsigned char *) type);

    if (logging != MagickFalse)
      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
        "  Reading JNG chunk type %c%c%c%c, length: %.20g",
        type[0],type[1],type[2],type[3],(double) length);

    if (length > PNG_UINT_31_MAX || count == 0)
      ThrowReaderException(CorruptImageError,"CorruptImage");

So the only limitation is it must smaller than PNG_UINT_31_MAX, it is still very large.

Also when chunk type is JDAT, it will write chunk data to file as follow:

    if (memcmp(type,mng_JDAT,4) == 0)
      {
        /* Copy chunk to color_image->blob */

        if (logging != MagickFalse)
          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
            "    Copying JDAT chunk data to color_blob.");

        if (length != 0)
          {
            (void) WriteBlob(color_image,length,chunk);                //write very large chunk data to file
            chunk=(unsigned char *) RelinquishMagickMemory(chunk);
          }

        continue;
      }

So a crafted jng file can cause memory exhausted and large I/O.

testcase:
https://github.com/jgj212/poc/blob/master/mem-jng

Credit: ADLab of Venustech

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Sep 8, 2017

This was assigned CVE-2017-12643.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants