Memory Leak in WriteMPCImage() #563

lcatro · 2017-07-16T15:36:17Z

Memory Leak Sample Link : https://raw.githubusercontent.com/lcatro/My_PoC/master/ImageMagick/imagemagick_output_mpc_memory_leak_WriteMPCImage

Trigger Command : ./magick convert imagemagick_output_mpc_memory_leak_WriteMPCImage output.mpc

Leak Detail :

fuzzing@ubuntu:~/fuzzing/ImageMagick/utilities$ ./magick convert imagemagick_output_mpc_memory_leak_WriteMPCImage output.mpc
convert: UnableToOpenConfigureFile `magic.xml' @ warning/configure.c/GetConfigureOptions/715.

=================================================================
==2307==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x7f8563655602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f8562b5e981 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f8562b5e9d5 in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7f856294802f in AcquirePixelCache MagickCore/cache.c:195
    #4 0x7f8562948fc9 in ClonePixelCache MagickCore/cache.c:418
    #5 0x7f8562957a19 in PersistPixelCache MagickCore/cache.c:3829
    #6 0x7f8562dfc059 in WriteMPCImage coders/mpc.c:1493
    #7 0x7f85629ba1c6 in WriteImage MagickCore/constitute.c:1114
    #8 0x7f85629bae42 in WriteImages MagickCore/constitute.c:1333
    #9 0x7f856220d3eb in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7f8562305d98 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017f1 in MagickMain utilities/magick.c:149
    #12 0x4019d2 in main utilities/magick.c:180
    #13 0x7f8561a7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 528 byte(s) in 1 object(s) allocated from:
    #0 0x7f8563655602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f8562b5e981 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f8562b5e9d5 in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7f8562948871 in AcquirePixelCacheNexus MagickCore/cache.c:268
    #4 0x7f8562948428 in AcquirePixelCache MagickCore/cache.c:211
    #5 0x7f8562948fc9 in ClonePixelCache MagickCore/cache.c:418
    #6 0x7f8562957a19 in PersistPixelCache MagickCore/cache.c:3829
    #7 0x7f8562dfc059 in WriteMPCImage coders/mpc.c:1493
    #8 0x7f85629ba1c6 in WriteImage MagickCore/constitute.c:1114
    #9 0x7f85629bae42 in WriteImages MagickCore/constitute.c:1333
    #10 0x7f856220d3eb in ConvertImageCommand MagickWand/convert.c:3280
    #11 0x7f8562305d98 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x4017f1 in MagickMain utilities/magick.c:149
    #13 0x4019d2 in main utilities/magick.c:180
    #14 0x7f8561a7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f8563656076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x7f8562b5e8de in AcquireAlignedMemory MagickCore/memory.c:262
    #2 0x7f8562948780 in AcquirePixelCacheNexus MagickCore/cache.c:264
    #3 0x7f8562948428 in AcquirePixelCache MagickCore/cache.c:211
    #4 0x7f8562948fc9 in ClonePixelCache MagickCore/cache.c:418
    #5 0x7f8562957a19 in PersistPixelCache MagickCore/cache.c:3829
    #6 0x7f8562dfc059 in WriteMPCImage coders/mpc.c:1493
    #7 0x7f85629ba1c6 in WriteImage MagickCore/constitute.c:1114
    #8 0x7f85629bae42 in WriteImages MagickCore/constitute.c:1333
    #9 0x7f856220d3eb in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7f8562305d98 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017f1 in MagickMain utilities/magick.c:149
    #12 0x4019d2 in main utilities/magick.c:180
    #13 0x7f8561a7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f8563656076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x7f8562c420fc in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7f8562c421b8 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7f8562948631 in AcquirePixelCache MagickCore/cache.c:226
    #4 0x7f8562948fc9 in ClonePixelCache MagickCore/cache.c:418
    #5 0x7f8562957a19 in PersistPixelCache MagickCore/cache.c:3829
    #6 0x7f8562dfc059 in WriteMPCImage coders/mpc.c:1493
    #7 0x7f85629ba1c6 in WriteImage MagickCore/constitute.c:1114
    #8 0x7f85629bae42 in WriteImages MagickCore/constitute.c:1333
    #9 0x7f856220d3eb in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7f8562305d98 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017f1 in MagickMain utilities/magick.c:149
    #12 0x4019d2 in main utilities/magick.c:180
    #13 0x7f8561a7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f8563656076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x7f8562c420fc in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7f8562c421b8 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7f85629486a1 in AcquirePixelCache MagickCore/cache.c:228
    #4 0x7f8562948fc9 in ClonePixelCache MagickCore/cache.c:418
    #5 0x7f8562957a19 in PersistPixelCache MagickCore/cache.c:3829
    #6 0x7f8562dfc059 in WriteMPCImage coders/mpc.c:1493
    #7 0x7f85629ba1c6 in WriteImage MagickCore/constitute.c:1114
    #8 0x7f85629bae42 in WriteImages MagickCore/constitute.c:1333
    #9 0x7f856220d3eb in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7f8562305d98 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017f1 in MagickMain utilities/magick.c:149
    #12 0x4019d2 in main utilities/magick.c:180
    #13 0x7f8561a7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 9816 byte(s) leaked in 5 allocation(s).

The text was updated successfully, but these errors were encountered:

mikayla-grace · 2017-07-16T17:48:10Z

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

mikayla-grace · 2017-07-23T18:21:21Z

Our patch was incomplete, revert patch until we come up with a better solution.

mikayla-grace · 2017-07-23T22:55:09Z

Fixed with 184a047 and 46bcb8a.

bastien-roucaries · 2017-07-26T21:03:52Z

This is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869726 and CVE-2017-11532

dlemstra pushed a commit that referenced this issue Jul 16, 2017

https://github.com/ImageMagick/ImageMagick/issues/563

2cdff28

dlemstra pushed a commit that referenced this issue Jul 16, 2017

https://github.com/ImageMagick/ImageMagick/issues/563

259340b

dlemstra pushed a commit that referenced this issue Jul 16, 2017

https://github.com/ImageMagick/ImageMagick/issues/563

d60d705

dlemstra added the bug label Jul 16, 2017

dlemstra closed this as completed Jul 16, 2017

dlemstra reopened this Jul 23, 2017

dlemstra closed this as completed Jul 24, 2017

mikayla-grace referenced this issue Jul 26, 2017

...

16890cd

dlemstra pushed a commit that referenced this issue Jul 26, 2017

https://github.com/ImageMagick/ImageMagick/issues/563

68ce166

bastien-roucaries referenced this issue Jul 26, 2017

https://github.com/ImageMagick/ImageMagick/issues/552

184a047

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Memory Leak in WriteMPCImage() #563

Memory Leak in WriteMPCImage() #563

lcatro commented Jul 16, 2017

mikayla-grace commented Jul 16, 2017

mikayla-grace commented Jul 23, 2017

mikayla-grace commented Jul 23, 2017

bastien-roucaries commented Jul 26, 2017

Memory Leak in WriteMPCImage() #563

Memory Leak in WriteMPCImage() #563

Comments

lcatro commented Jul 16, 2017

mikayla-grace commented Jul 16, 2017

mikayla-grace commented Jul 23, 2017

mikayla-grace commented Jul 23, 2017

bastien-roucaries commented Jul 26, 2017