Skip to content

bad free in RelinquishMagickMemory #621

Closed
@bestshow

Description

@bestshow

Version: ImageMagick 7.0.6-3 Q16 x86_64

A bad free vulnerability was found in function RelinquishMagickMemory ,which allow attackers to cause a denial of service (bad free) via a crafted file.

=================================================================
==117385==ERROR: attempting free on address which was not malloc()-ed: 0x0c1000000394 in thread T0
    #0 0x4eb680 in __interceptor_free /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
    #1 0x582413 in RelinquishMagickMemory /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/memory.c:1042:3
    #2 0xc2563c in ReadOnePNGImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/png.c:2286:38
    #3 0xbedc23 in ReadPNGImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/png.c:4148:9
    #4 0xde14b1 in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #5 0x13168be in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #6 0xde0261 in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #7 0xde0a86 in PingImages /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:309:18
    #8 0x165a325 in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #9 0x172df58 in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #10 0x521ccd in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #11 0x521ccd in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #12 0x7f26480b4b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #13 0x426acb in _start (/home/test/Downloads/IM-afl-build/bin/magick+0x426acb)

Address 0x0c1000000394 is located in the high shadow area.
SUMMARY: bad-free /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47 in __interceptor_free
==117385==ABORTING

testcase:https://github.com/bestshow/p0cs/blob/master/bad_free_in_RelinquishMagickMemory
Credit:ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions