Closed
Description
Version: ImageMagick 7.0.6-2 Q16 x86_64
#./magick identify $FILE
When identify PSD file , imagemagick will allocate memory to store the data, here is the critical code:
psd.c , in function ReadPSDImage:
blocks=(unsigned char *) AcquireQuantumMemory((size_t) length, //2113
sizeof(*blocks));
if (blocks == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,(size_t) length,blocks);
if ((count != (ssize_t) length) || (length < 4) ||
(LocaleNCompare((char *) blocks,"8BIM",4) != 0))
{
blocks=(unsigned char *) RelinquishMagickMemory(blocks);
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
length can be read from image,that is to say it can be controlled by input file.
length=ReadBlobMSBLong(image); //2100
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
...
<policy domain="resource" name="area" value="100MP"/>
<policy domain="resource" name="memory" value="256MiB"/>
...
testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadPSDImage
Credit : ADLab of Venustech