Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory leak in ReadMATImage #648

Closed
jgj212 opened this issue Aug 5, 2017 · 2 comments
Closed

memory leak in ReadMATImage #648

jgj212 opened this issue Aug 5, 2017 · 2 comments
Labels
bug

Comments

@jgj212
Copy link
Contributor

jgj212 commented Aug 5, 2017
edited
Loading

Version: ImageMagick 7.0.6-6 Q16 x86_64

A memory leak vulnerability was found in function ReadMATImage ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE

==10190==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c401bba3 in AcquireImageInfo image.c:347:28
    #3 0x7f87c4024d13 in CloneImageInfo image.c:952:14
    #4 0x7f87c445227a in ReadMATImage mat.c:958:16
    #5 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #6 0x7f87c41def59 in ReadStream stream.c:1045:9
    #7 0x7f87c3e4460f in PingImage constitute.c:226:9
    #8 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #9 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #10 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #11 0x514a47 in MagickMain magick.c:149:10
    #12 0x5144a1 in main magick.c:180:10
    #13 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c3dc7164 in AcquirePixelCache cache.c:195:28
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c3dc7c24 in AcquirePixelCacheNexus cache.c:268:31
    #4 0x7f87c3dc7684 in AcquirePixelCache cache.c:211:26
    #5 0x7f87c41debec in ReadStream stream.c:1027:20
    #6 0x7f87c3e4460f in PingImage constitute.c:226:9
    #7 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #8 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #9 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #10 0x514a47 in MagickMain magick.c:149:10
    #11 0x5144a1 in main magick.c:180:10
    #12 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c41beee5 in NewSplayTree splay-tree.c:1106:32
    #3 0x7f87c41beb14 in CloneSplayTree splay-tree.c:359:14
    #4 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #5 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #6 0x7f87c445227a in ReadMATImage mat.c:958:16
    #7 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #8 0x7f87c41def59 in ReadStream stream.c:1045:9
    #9 0x7f87c3e4460f in PingImage constitute.c:226:9
    #10 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #11 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #12 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c406b3a2 in AcquireAlignedMemory memory.c:262:7
    #2 0x7f87c3dc7b2e in AcquirePixelCacheNexus cache.c:264:29
    #3 0x7f87c3dc7684 in AcquirePixelCache cache.c:211:26
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f87c3dc7943 in AcquirePixelCache cache.c:226:25
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f87c41bf266 in NewSplayTree splay-tree.c:1119:25
    #4 0x7f87c41beb14 in CloneSplayTree splay-tree.c:359:14
    #5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #7 0x7f87c445227a in ReadMATImage mat.c:958:16
    #8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #9 0x7f87c41def59 in ReadStream stream.c:1045:9
    #10 0x7f87c3e4460f in PingImage constitute.c:226:9
    #11 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f87c3dc79d2 in AcquirePixelCache cache.c:228:30
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c41bde70 in AddValueToSplayTree splay-tree.c:188:21
    #3 0x7f87c41bed1c in CloneSplayTree splay-tree.c:371:12
    #4 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #5 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #6 0x7f87c445227a in ReadMATImage mat.c:958:16
    #7 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #8 0x7f87c41def59 in ReadStream stream.c:1045:9
    #9 0x7f87c3e4460f in PingImage constitute.c:226:9
    #10 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #11 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #12 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 19 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c41f4653 in ConstantString string.c:701:26
    #4 0x7f87c41bed06 in CloneSplayTree splay-tree.c:372:7
    #5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #7 0x7f87c445227a in ReadMATImage mat.c:958:16
    #8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #9 0x7f87c41def59 in ReadStream stream.c:1045:9
    #10 0x7f87c3e4460f in PingImage constitute.c:226:9
    #11 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c41f4653 in ConstantString string.c:701:26
    #4 0x7f87c41bec81 in CloneSplayTree splay-tree.c:371:43
    #5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #7 0x7f87c445227a in ReadMATImage mat.c:958:16
    #8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #9 0x7f87c41def59 in ReadStream stream.c:1045:9
    #10 0x7f87c3e4460f in PingImage constitute.c:226:9
    #11 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: 22612 byte(s) leaked in 11 allocation(s).

testcase: https://github.com/jgj212/poc/blob/master/leak-ReadMATImage3
Credit:ADLab of Venustech
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Aug 7, 2017
https://github.com/ImageMagick/ImageMagick/issues/648
f1f2089
dlemstra pushed a commit that referenced this issue Aug 7, 2017
https://github.com/ImageMagick/ImageMagick/issues/648
bdfc553
@dlemstra dlemstra added the bug label Aug 7, 2017
@dlemstra dlemstra closed this as completed Aug 7, 2017
@fgeek
Copy link

fgeek commented Sep 18, 2017

https://nvd.nist.gov/vuln/detail/CVE-2017-14533

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fgeek @jgj212 @dlemstra @mikayla-grace