Closed
Description
Version: ImageMagick 7.0.6-5 Q16 x86_64
#./identify $FILE
When identify PSD file , imagemagick will allocate memory to store the data, here is the critical code:
psd.c , in function ReadPSDImage:
if (ReadPSDLayersInternal(image,image_info,&psd_info,skip_layers, //2157
exception) != MagickTrue)
{
(void) CloseBlob(image);
image=DestroyImageList(image);
return((Image *) NULL);
}
The critical function call chain is :ReadPSDLayersInternal->AcquireStringInfo->AcquireQuantumMemory,and in function AcquireStringInfo:
if (~string_info->length >= (MagickPathExtent-1))
string_info->datum=(unsigned char *) AcquireQuantumMemory( //182
string_info->length+MagickPathExtent,sizeof(*string_info->datum));
if (string_info->datum == (unsigned char *) NULL)
ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
return(string_info);
The string_info->length can be controlled by input file,here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
...
<policy domain="resource" name="area" value="100MP"/>
<policy domain="resource" name="memory" value="256MiB"/>
...
testcase: https://github.com/bestshow/p0cs/blob/master/memory_exhaustion_in_ReadPSDImage2157.psd
Credit : ADLab of Venustech