memory leak in ReadOneMNGImage

[bestshow]

Version: ImageMagick 7.0.6-3 Q16 x86_64

A memory leak vulnerability was found in function ReadOneMNGImage ,which allow attackers to cause a denial of service (memory leak) via a crafted file.

=================================================================
==101092==ERROR: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4eb9c6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0xbf97fc in ReadOneMNGImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/png.c:5299:37
    #2 0xbd68b6 in ReadMNGImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/png.c:7560:9

SUMMARY: 64 byte(s) leaked in 1 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory_leak_in_ReadOneMNGImage_2.mng
Credit:ADLab of Venustech

[mikayla-grace]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[bastien-roucaries]

Please open a CVE https://cveform.mitre.org/

[nohmask]

This was assigned CVE-2017-12673.