memory exhausted in ReadWEBPImage

[jgj212]

Version: ImageMagick 7.0.6-5 Q16 x86_64

Here is the critical code

static Image *ReadWEBPImage(const ImageInfo *image_info,
  ExceptionInfo *exception)
{
  ....

  length=(size_t) (ReadWebPLSBWord(header+4)+8);   //265, length can be controlled from file data
  if (length < 12)
    ThrowReaderException(CorruptImageError,"CorruptImage");
  stream=(unsigned char *) AcquireQuantumMemory(length,sizeof(*stream)); //length can be from 0 to 4G, this will cause memory exhausted on some condition even if the webp image file is very small

  if (stream == (unsigned char *) NULL)
    ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");

   ...
}

Credit: ADLab of Venustech

[mikayla-grace]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[njdoyle]

The fix breaks reading all WebP images. Line 266 in the new code sets webp_image to null and then we immediately try to dereference it on line 269.

[bastien-roucaries]

Create two CVE: one for the original issue and one for the null dereference
http://cveform.mitre.org/

[bastien-roucaries]

And post CVE number here

[dlemstra]

He has a remark about the fix that we applied that has not been released to the public yet. Why do we need a CVE for that?

[bastien-roucaries]

No if not yet public but mark clearly in changelog and commit that the fix is in fact two fix. Better will be to revert and redo and post here the correct fix

[fgeek]

Please use CVE-2017-14137 for the "ReadWEBPImage in coders/webp.c in ImageMagick 7.0.6-5 has an issue where memory allocation is excessive because it depends only on a length field in a header." issue.