Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadMATImage #553

Closed
jgj212 opened this issue Jul 9, 2017 · 2 comments
Closed

memory leak in ReadMATImage #553

jgj212 opened this issue Jul 9, 2017 · 2 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented Jul 9, 2017

Version: ImageMagick 7.0.6-1 Q16 x86_64

#./magick identify $FILE

=================================================================
==8197==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b6e2753 in AcquireImageInfo image.c:347:28
    #3 0x7fb96b6eb8c3 in CloneImageInfo image.c:952:14
    #4 0x7fb96baf8c25 in ReadMATImage mat.c:951:16
    #5 0x7fb96b51ef98 in ReadImage constitute.c:497:13
    #6 0x7fb96b895bd9 in ReadStream stream.c:1045:9
    #7 0x7fb96b51db3f in PingImage constitute.c:226:9
    #8 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #9 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #10 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #11 0x514f77 in MagickMain magick.c:151:10
    #12 0x5149d1 in main magick.c:263:10
    #13 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b72efd8 in AcquireQuantumMemory memory.c:536:10
    #3 0x7fb96b4ad1e4 in AcquirePixelCache cache.c:195:28
    #4 0x7fb96b89586c in ReadStream stream.c:1027:20
    #5 0x7fb96b51db3f in PingImage constitute.c:226:9
    #6 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #7 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #8 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #9 0x514f77 in MagickMain magick.c:151:10
    #10 0x5149d1 in main magick.c:263:10
    #11 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b72efd8 in AcquireQuantumMemory memory.c:536:10
    #3 0x7fb96b4adca4 in AcquirePixelCacheNexus cache.c:268:31
    #4 0x7fb96b4ad704 in AcquirePixelCache cache.c:211:26
    #5 0x7fb96b89586c in ReadStream stream.c:1027:20
    #6 0x7fb96b51db3f in PingImage constitute.c:226:9
    #7 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #8 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #9 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #10 0x514f77 in MagickMain magick.c:151:10
    #11 0x5149d1 in main magick.c:263:10
    #12 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b87d9d8 in NewSplayTree splay-tree.c:1106
    #3 0x7fb96b87c944 in CloneSplayTree splay-tree.c:359
    #4 0x7fb96b75f755 in CloneImageOptions option.c:1880:27
    #5 0x7fb96b6ed174 in CloneImageInfo image.c:1007:10
    #6 0x7fb96baf8c25 in ReadMATImage mat.c:951:16
    #7 0x7fb96b51ef98 in ReadImage constitute.c:497:13
    #8 0x7fb96b895bd9 in ReadStream stream.c:1045:9
    #9 0x7fb96b51db3f in PingImage constitute.c:226:9
    #10 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #11 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #12 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #13 0x514f77 in MagickMain magick.c:151:10
    #14 0x5149d1 in main magick.c:263:10
    #15 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfaf5 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7fb96b72edb2 in AcquireAlignedMemory memory.c:261:7
    #2 0x7fb96b4adbae in AcquirePixelCacheNexus cache.c:264:29
    #3 0x7fb96b4ad704 in AcquirePixelCache cache.c:211:26
    #4 0x7fb96b89586c in ReadStream stream.c:1027:20
    #5 0x7fb96b51db3f in PingImage constitute.c:226:9
    #6 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #7 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #8 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #9 0x514f77 in MagickMain magick.c:151:10
    #10 0x5149d1 in main magick.c:263:10
    #11 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfaf5 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7fb96b86b788 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7fb96b86affc in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7fb96b4ad9c3 in AcquirePixelCache cache.c:226:25
    #4 0x7fb96b89586c in ReadStream stream.c:1027:20
    #5 0x7fb96b51db3f in PingImage constitute.c:226:9
    #6 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #7 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #8 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #9 0x514f77 in MagickMain magick.c:151:10
    #10 0x5149d1 in main magick.c:263:10
    #11 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfaf5 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7fb96b86b788 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7fb96b86affc in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7fb96b87db03 in NewSplayTree splay-tree.c:1119
    #4 0x7fb96b87c944 in CloneSplayTree splay-tree.c:359
    #5 0x7fb96b75f755 in CloneImageOptions option.c:1880:27
    #6 0x7fb96b6ed174 in CloneImageInfo image.c:1007:10
    #7 0x7fb96baf8c25 in ReadMATImage mat.c:951:16
    #8 0x7fb96b51ef98 in ReadImage constitute.c:497:13
    #9 0x7fb96b895bd9 in ReadStream stream.c:1045:9
    #10 0x7fb96b51db3f in PingImage constitute.c:226:9
    #11 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #12 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #13 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #14 0x514f77 in MagickMain magick.c:151:10
    #15 0x5149d1 in main magick.c:263:10
    #16 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfaf5 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7fb96b86b788 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7fb96b86affc in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7fb96b4ada52 in AcquirePixelCache cache.c:228:30
    #4 0x7fb96b89586c in ReadStream stream.c:1027:20
    #5 0x7fb96b51db3f in PingImage constitute.c:226:9
    #6 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #7 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #8 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #9 0x514f77 in MagickMain magick.c:151:10
    #10 0x5149d1 in main magick.c:263:10
    #11 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b87c533 in AddValueToSplayTree splay-tree.c:188
    #3 0x7fb96b87c9dc in CloneSplayTree splay-tree.c:371
    #4 0x7fb96b75f755 in CloneImageOptions option.c:1880:27
    #5 0x7fb96b6ed174 in CloneImageInfo image.c:1007:10
    #6 0x7fb96baf8c25 in ReadMATImage mat.c:951:16
    #7 0x7fb96b51ef98 in ReadImage constitute.c:497:13
    #8 0x7fb96b895bd9 in ReadStream stream.c:1045:9
    #9 0x7fb96b51db3f in PingImage constitute.c:226:9
    #10 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #11 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #12 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #13 0x514f77 in MagickMain magick.c:151:10
    #14 0x5149d1 in main magick.c:263:10
    #15 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b72efd8 in AcquireQuantumMemory memory.c:536:10
    #3 0x7fb96b8ab283 in ConstantString string.c:701:26
    #4 0x7fb96b87c9c7 in CloneSplayTree splay-tree.c:371
    #5 0x7fb96b75f755 in CloneImageOptions option.c:1880:27
    #6 0x7fb96b6ed174 in CloneImageInfo image.c:1007:10
    #7 0x7fb96baf8c25 in ReadMATImage mat.c:951:16
    #8 0x7fb96b51ef98 in ReadImage constitute.c:497:13
    #9 0x7fb96b895bd9 in ReadStream stream.c:1045:9
    #10 0x7fb96b51db3f in PingImage constitute.c:226:9
    #11 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #12 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #13 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #14 0x514f77 in MagickMain magick.c:151:10
    #15 0x5149d1 in main magick.c:263:10
    #16 0x7fb96557af44 in __libc_start_main libc-start.c:287

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x4def96 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7fb96b72ef76 in AcquireMagickMemory memory.c:463:10
    #2 0x7fb96b72efd8 in AcquireQuantumMemory memory.c:536:10
    #3 0x7fb96b8ab283 in ConstantString string.c:701:26
    #4 0x7fb96b87c9b1 in CloneSplayTree splay-tree.c:372
    #5 0x7fb96b75f755 in CloneImageOptions option.c:1880:27
    #6 0x7fb96b6ed174 in CloneImageInfo image.c:1007:10
    #7 0x7fb96baf8c25 in ReadMATImage mat.c:951:16
    #8 0x7fb96b51ef98 in ReadImage constitute.c:497:13
    #9 0x7fb96b895bd9 in ReadStream stream.c:1045:9
    #10 0x7fb96b51db3f in PingImage constitute.c:226:9
    #11 0x7fb96b51e2e3 in PingImages constitute.c:327:10
    #12 0x7fb96ac7f126 in IdentifyImageCommand identify.c:319:18
    #13 0x7fb96ad3cdff in MagickCommandGenesis mogrify.c:183:14
    #14 0x514f77 in MagickMain magick.c:151:10
    #15 0x5149d1 in main magick.c:263:10
    #16 0x7fb96557af44 in __libc_start_main libc-start.c:287

SUMMARY: AddressSanitizer: 22597 byte(s) leaked in 11 allocation(s).

testcase: https://github.com/jgj212/poc/blob/master/leak-ReadMATImage2

Credit : ADLab of Venustech

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Sep 8, 2017

This was assigned CVE-2017-12667.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants