Closed
Description
Version: ImageMagick 7.0.6-6 Q16 x86_64
A memory leak vulnerability was found in function ReadMATImage ,which allow attackers to cause a denial of service via a crafted file.
#./identify $FILE
==10190==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 13024 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c401bba3 in AcquireImageInfo image.c:347:28
#3 0x7f87c4024d13 in CloneImageInfo image.c:952:14
#4 0x7f87c445227a in ReadMATImage mat.c:958:16
#5 0x7f87c3e45a68 in ReadImage constitute.c:497:13
#6 0x7f87c41def59 in ReadStream stream.c:1045:9
#7 0x7f87c3e4460f in PingImage constitute.c:226:9
#8 0x7f87c3e44db3 in PingImages constitute.c:327:10
#9 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#10 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#11 0x514a47 in MagickMain magick.c:149:10
#12 0x5144a1 in main magick.c:180:10
#13 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
#3 0x7f87c3dc7164 in AcquirePixelCache cache.c:195:28
#4 0x7f87c41debec in ReadStream stream.c:1027:20
#5 0x7f87c3e4460f in PingImage constitute.c:226:9
#6 0x7f87c3e44db3 in PingImages constitute.c:327:10
#7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#9 0x514a47 in MagickMain magick.c:149:10
#10 0x5144a1 in main magick.c:180:10
#11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
#3 0x7f87c3dc7c24 in AcquirePixelCacheNexus cache.c:268:31
#4 0x7f87c3dc7684 in AcquirePixelCache cache.c:211:26
#5 0x7f87c41debec in ReadStream stream.c:1027:20
#6 0x7f87c3e4460f in PingImage constitute.c:226:9
#7 0x7f87c3e44db3 in PingImages constitute.c:327:10
#8 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#9 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#10 0x514a47 in MagickMain magick.c:149:10
#11 0x5144a1 in main magick.c:180:10
#12 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c41beee5 in NewSplayTree splay-tree.c:1106:32
#3 0x7f87c41beb14 in CloneSplayTree splay-tree.c:359:14
#4 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
#5 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
#6 0x7f87c445227a in ReadMATImage mat.c:958:16
#7 0x7f87c3e45a68 in ReadImage constitute.c:497:13
#8 0x7f87c41def59 in ReadStream stream.c:1045:9
#9 0x7f87c3e4460f in PingImage constitute.c:226:9
#10 0x7f87c3e44db3 in PingImages constitute.c:327:10
#11 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#12 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#13 0x514a47 in MagickMain magick.c:149:10
#14 0x5144a1 in main magick.c:180:10
#15 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f87c406b3a2 in AcquireAlignedMemory memory.c:262:7
#2 0x7f87c3dc7b2e in AcquirePixelCacheNexus cache.c:264:29
#3 0x7f87c3dc7684 in AcquirePixelCache cache.c:211:26
#4 0x7f87c41debec in ReadStream stream.c:1027:20
#5 0x7f87c3e4460f in PingImage constitute.c:226:9
#6 0x7f87c3e44db3 in PingImages constitute.c:327:10
#7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#9 0x514a47 in MagickMain magick.c:149:10
#10 0x5144a1 in main magick.c:180:10
#11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
#2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
#3 0x7f87c3dc7943 in AcquirePixelCache cache.c:226:25
#4 0x7f87c41debec in ReadStream stream.c:1027:20
#5 0x7f87c3e4460f in PingImage constitute.c:226:9
#6 0x7f87c3e44db3 in PingImages constitute.c:327:10
#7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#9 0x514a47 in MagickMain magick.c:149:10
#10 0x5144a1 in main magick.c:180:10
#11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
#2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
#3 0x7f87c41bf266 in NewSplayTree splay-tree.c:1119:25
#4 0x7f87c41beb14 in CloneSplayTree splay-tree.c:359:14
#5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
#6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
#7 0x7f87c445227a in ReadMATImage mat.c:958:16
#8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
#9 0x7f87c41def59 in ReadStream stream.c:1045:9
#10 0x7f87c3e4460f in PingImage constitute.c:226:9
#11 0x7f87c3e44db3 in PingImages constitute.c:327:10
#12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#14 0x514a47 in MagickMain magick.c:149:10
#15 0x5144a1 in main magick.c:180:10
#16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
#1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
#2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
#3 0x7f87c3dc79d2 in AcquirePixelCache cache.c:228:30
#4 0x7f87c41debec in ReadStream stream.c:1027:20
#5 0x7f87c3e4460f in PingImage constitute.c:226:9
#6 0x7f87c3e44db3 in PingImages constitute.c:327:10
#7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#9 0x514a47 in MagickMain magick.c:149:10
#10 0x5144a1 in main magick.c:180:10
#11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c41bde70 in AddValueToSplayTree splay-tree.c:188:21
#3 0x7f87c41bed1c in CloneSplayTree splay-tree.c:371:12
#4 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
#5 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
#6 0x7f87c445227a in ReadMATImage mat.c:958:16
#7 0x7f87c3e45a68 in ReadImage constitute.c:497:13
#8 0x7f87c41def59 in ReadStream stream.c:1045:9
#9 0x7f87c3e4460f in PingImage constitute.c:226:9
#10 0x7f87c3e44db3 in PingImages constitute.c:327:10
#11 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#12 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#13 0x514a47 in MagickMain magick.c:149:10
#14 0x5144a1 in main magick.c:180:10
#15 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 19 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
#3 0x7f87c41f4653 in ConstantString string.c:701:26
#4 0x7f87c41bed06 in CloneSplayTree splay-tree.c:372:7
#5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
#6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
#7 0x7f87c445227a in ReadMATImage mat.c:958:16
#8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
#9 0x7f87c41def59 in ReadStream stream.c:1045:9
#10 0x7f87c3e4460f in PingImage constitute.c:226:9
#11 0x7f87c3e44db3 in PingImages constitute.c:327:10
#12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#14 0x514a47 in MagickMain magick.c:149:10
#15 0x5144a1 in main magick.c:180:10
#16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
Indirect leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
#1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
#2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
#3 0x7f87c41f4653 in ConstantString string.c:701:26
#4 0x7f87c41bec81 in CloneSplayTree splay-tree.c:371:43
#5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
#6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
#7 0x7f87c445227a in ReadMATImage mat.c:958:16
#8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
#9 0x7f87c41def59 in ReadStream stream.c:1045:9
#10 0x7f87c3e4460f in PingImage constitute.c:226:9
#11 0x7f87c3e44db3 in PingImages constitute.c:327:10
#12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
#13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
#14 0x514a47 in MagickMain magick.c:149:10
#15 0x5144a1 in main magick.c:180:10
#16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: 22612 byte(s) leaked in 11 allocation(s).
testcase: https://github.com/jgj212/poc/blob/master/leak-ReadMATImage3
Credit:ADLab of Venustech