Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadWEBPImage #639

Closed
jgj212 opened this issue Aug 1, 2017 · 5 comments
Closed

memory leak in ReadWEBPImage #639

jgj212 opened this issue Aug 1, 2017 · 5 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented Aug 1, 2017

Version: ImageMagick 7.0.6-5 Q16 x86_64

./magick identify $FILE  

==114==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4294904328 byte(s) in 1 object(s) allocated from:
    #0  in malloc /mnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1  in AcquireMagickMemory /mnt/im/ImageMagick-clang/MagickCore/memory.c:464:10
    #2  in AcquireQuantumMemory /mnt/im/ImageMagick-clang/MagickCore/memory.c:537:10
    #3  in ReadWEBPImage /mnt/im/ImageMagick-clang/coders/webp.c:268:28
    #4  in ReadImage /mnt/im/ImageMagick-clang/MagickCore/constitute.c:497:13
    #5  in ReadStream /mnt/im/ImageMagick-clang/MagickCore/stream.c:1045:9
    #6  in PingImage /mnt/im/ImageMagick-clang/MagickCore/constitute.c:226:9
    #7  in PingImages /mnt/im/ImageMagick-clang/MagickCore/constitute.c:327:10
    #8  in IdentifyImageCommand /mnt/im/ImageMagick-clang/MagickWand/identify.c:319:18
    #9  in MagickCommandGenesis /mnt/im/ImageMagick-clang/MagickWand/mogrify.c:183:14
    #10  in MagickMain /mnt/im/ImageMagick-clang/utilities/magick.c:149:10
    #11  in main /mnt/im/ImageMagick-clang/utilities/magick.c:180:10
    #12  in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

POC: https://github.com/jgj212/poc/blob/master/leak-ReadWEBPImage

Credit: ADLab of Venustech

@bastien-roucaries
Copy link

Pease open CVE

@dlemstra
Copy link
Member

dlemstra commented Aug 1, 2017

This is not confirmed yet? Better wait with the CVE?

@jgj212
Copy link
Contributor Author

jgj212 commented Aug 1, 2017

@dlemstra is this bug being fixed?i do not request cve

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@fgeek
Copy link

fgeek commented Sep 7, 2017

Please use CVE-2017-14138 for this issue. For the record the ID was not requested by me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants