Skip to content

memory leak in ReadMATImage #644

Closed
Closed
@bestshow

Description

@bestshow

Version: ImageMagick 7.0.6-5 Q16 x86_64

A memory leak vulnerability was found in function ReadMATImage ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE
=================================================================
==4049==ERROR: detected memory leaks

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x4eba16 in __interceptor_malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x527b0b in AcquireImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:169:19
    #2 0x8d4283 in decompress_block /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
    #3 0x8d4283 in ReadMATImage /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:963
    #4 0xde54b4 in ReadImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #5 0x131b6c1 in ReadStream /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #6 0xde41ac in PingImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #7 0x165a1c6 in IdentifyImageCommand /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #8 0x172ff48 in MagickCommandGenesis /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #9 0x521f93 in MagickMain /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #10 0x521f93 in main /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #11 0x7fadceaa3b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4eba16 in __interceptor_malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x52c395 in AcquireImageInfo /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:347:28
    #2 0x528c85 in AcquireImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:290:10
    #3 0x8d4283 in decompress_block /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
    #4 0x8d4283 in ReadMATImage /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:963
    #5 0xde54b4 in ReadImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #6 0x131b6c1 in ReadStream /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #7 0xde41ac in PingImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #8 0x165a1c6 in IdentifyImageCommand /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #9 0x172ff48 in MagickCommandGenesis /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #10 0x521f93 in MagickMain /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #11 0x521f93 in main /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #12 0x7fadceaa3b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4eba16 in __interceptor_malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0xd45252 in AcquirePixelCache /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/cache.c:195:28
    #2 0xde41ac in PingImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #3 0x165a1c6 in IdentifyImageCommand /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #4 0x172ff48 in MagickCommandGenesis /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #5 0x521f93 in MagickMain /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #6 0x521f93 in main /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #7 0x7fadceaa3b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

......
46467 byte(s) leaked in 21 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory_leak_in_ReadMATImage963.mat
Credit:ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions