Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadMATImage #644

Closed
bestshow opened this issue Aug 4, 2017 · 2 comments
Closed

memory leak in ReadMATImage #644

bestshow opened this issue Aug 4, 2017 · 2 comments
Labels

Comments

@bestshow
Copy link

bestshow commented Aug 4, 2017

Version: ImageMagick 7.0.6-5 Q16 x86_64

A memory leak vulnerability was found in function ReadMATImage ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE
=================================================================
==4049==ERROR: detected memory leaks

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x4eba16 in __interceptor_malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x527b0b in AcquireImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:169:19
    #2 0x8d4283 in decompress_block /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
    #3 0x8d4283 in ReadMATImage /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:963
    #4 0xde54b4 in ReadImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #5 0x131b6c1 in ReadStream /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #6 0xde41ac in PingImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #7 0x165a1c6 in IdentifyImageCommand /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #8 0x172ff48 in MagickCommandGenesis /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #9 0x521f93 in MagickMain /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #10 0x521f93 in main /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #11 0x7fadceaa3b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4eba16 in __interceptor_malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x52c395 in AcquireImageInfo /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:347:28
    #2 0x528c85 in AcquireImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:290:10
    #3 0x8d4283 in decompress_block /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
    #4 0x8d4283 in ReadMATImage /home/haojun/Downloads/IM-afl/ImageMagick-master/coders/mat.c:963
    #5 0xde54b4 in ReadImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #6 0x131b6c1 in ReadStream /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #7 0xde41ac in PingImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #8 0x165a1c6 in IdentifyImageCommand /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #9 0x172ff48 in MagickCommandGenesis /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #10 0x521f93 in MagickMain /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #11 0x521f93 in main /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #12 0x7fadceaa3b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4eba16 in __interceptor_malloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0xd45252 in AcquirePixelCache /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/cache.c:195:28
    #2 0xde41ac in PingImage /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #3 0x165a1c6 in IdentifyImageCommand /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #4 0x172ff48 in MagickCommandGenesis /home/haojun/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #5 0x521f93 in MagickMain /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #6 0x521f93 in main /home/haojun/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #7 0x7fadceaa3b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

......
46467 byte(s) leaked in 21 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory_leak_in_ReadMATImage963.mat
Credit:ADLab of Venustech

@mikayla-grace
Copy link

mikayla-grace commented Aug 4, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@fgeek
Copy link

fgeek commented Aug 22, 2017

Please use CVE-2017-13060 for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants