Skip to content

memory leak in ReadMATImage #648

Closed
Closed
@jgj212

Description

@jgj212

Version: ImageMagick 7.0.6-6 Q16 x86_64

A memory leak vulnerability was found in function ReadMATImage ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE

==10190==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c401bba3 in AcquireImageInfo image.c:347:28
    #3 0x7f87c4024d13 in CloneImageInfo image.c:952:14
    #4 0x7f87c445227a in ReadMATImage mat.c:958:16
    #5 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #6 0x7f87c41def59 in ReadStream stream.c:1045:9
    #7 0x7f87c3e4460f in PingImage constitute.c:226:9
    #8 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #9 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #10 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #11 0x514a47 in MagickMain magick.c:149:10
    #12 0x5144a1 in main magick.c:180:10
    #13 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c3dc7164 in AcquirePixelCache cache.c:195:28
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c3dc7c24 in AcquirePixelCacheNexus cache.c:268:31
    #4 0x7f87c3dc7684 in AcquirePixelCache cache.c:211:26
    #5 0x7f87c41debec in ReadStream stream.c:1027:20
    #6 0x7f87c3e4460f in PingImage constitute.c:226:9
    #7 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #8 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #9 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #10 0x514a47 in MagickMain magick.c:149:10
    #11 0x5144a1 in main magick.c:180:10
    #12 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c41beee5 in NewSplayTree splay-tree.c:1106:32
    #3 0x7f87c41beb14 in CloneSplayTree splay-tree.c:359:14
    #4 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #5 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #6 0x7f87c445227a in ReadMATImage mat.c:958:16
    #7 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #8 0x7f87c41def59 in ReadStream stream.c:1045:9
    #9 0x7f87c3e4460f in PingImage constitute.c:226:9
    #10 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #11 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #12 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c406b3a2 in AcquireAlignedMemory memory.c:262:7
    #2 0x7f87c3dc7b2e in AcquirePixelCacheNexus cache.c:264:29
    #3 0x7f87c3dc7684 in AcquirePixelCache cache.c:211:26
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f87c3dc7943 in AcquirePixelCache cache.c:226:25
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f87c41bf266 in NewSplayTree splay-tree.c:1119:25
    #4 0x7f87c41beb14 in CloneSplayTree splay-tree.c:359:14
    #5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #7 0x7f87c445227a in ReadMATImage mat.c:958:16
    #8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #9 0x7f87c41def59 in ReadStream stream.c:1045:9
    #10 0x7f87c3e4460f in PingImage constitute.c:226:9
    #11 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7f87c41a91c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7f87c41a8a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7f87c3dc79d2 in AcquirePixelCache cache.c:228:30
    #4 0x7f87c41debec in ReadStream stream.c:1027:20
    #5 0x7f87c3e4460f in PingImage constitute.c:226:9
    #6 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #7 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #8 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c41bde70 in AddValueToSplayTree splay-tree.c:188:21
    #3 0x7f87c41bed1c in CloneSplayTree splay-tree.c:371:12
    #4 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #5 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #6 0x7f87c445227a in ReadMATImage mat.c:958:16
    #7 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #8 0x7f87c41def59 in ReadStream stream.c:1045:9
    #9 0x7f87c3e4460f in PingImage constitute.c:226:9
    #10 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #11 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #12 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 19 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c41f4653 in ConstantString string.c:701:26
    #4 0x7f87c41bed06 in CloneSplayTree splay-tree.c:372:7
    #5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #7 0x7f87c445227a in ReadMATImage mat.c:958:16
    #8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #9 0x7f87c41def59 in ReadStream stream.c:1045:9
    #10 0x7f87c3e4460f in PingImage constitute.c:226:9
    #11 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7f87c406b566 in AcquireMagickMemory memory.c:464:10
    #2 0x7f87c406b5c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7f87c41f4653 in ConstantString string.c:701:26
    #4 0x7f87c41bec81 in CloneSplayTree splay-tree.c:371:43
    #5 0x7f87c409bff5 in CloneImageOptions option.c:1880:27
    #6 0x7f87c40265c4 in CloneImageInfo image.c:1007:10
    #7 0x7f87c445227a in ReadMATImage mat.c:958:16
    #8 0x7f87c3e45a68 in ReadImage constitute.c:497:13
    #9 0x7f87c41def59 in ReadStream stream.c:1045:9
    #10 0x7f87c3e4460f in PingImage constitute.c:226:9
    #11 0x7f87c3e44db3 in PingImages constitute.c:327:10
    #12 0x7f87c357f596 in IdentifyImageCommand identify.c:319:18
    #13 0x7f87c363d2af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7f87bd586f44 in __libc_start_main (libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: 22612 byte(s) leaked in 11 allocation(s).

testcase: https://github.com/jgj212/poc/blob/master/leak-ReadMATImage3
Credit:ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions