Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadXCFImage #649

Closed
jgj212 opened this issue Aug 5, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@jgj212
Copy link
Contributor

commented Aug 5, 2017

Version: ImageMagick 7.0.6-6 Q16 x86_64

A memory leak vulnerability was found in function ReadXCFImage ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE

==10362==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 545177268 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3facb035b in load_tile xcf.c:362:28
    #4 0x7ff3facafcfe in load_level xcf.c:671:15
    #5 0x7ff3facaf89a in load_hierarchy xcf.c:758:7
    #6 0x7ff3facaf202 in ReadOneLayer xcf.c:938:7
    #7 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #8 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #9 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #10 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #11 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #12 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #13 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa689aef in CloneImage image.c:829:25
    #3 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #4 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #5 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #6 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #7 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #8 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #9 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #10 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #11 0x514a47 in MagickMain magick.c:149:10
    #12 0x5144a1 in main magick.c:180:10
    #13 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa687ba3 in AcquireImageInfo image.c:347:28
    #3 0x7ff3fa690d13 in CloneImageInfo image.c:952:14
    #4 0x7ff3fa68a38c in CloneImage image.c:845:27
    #5 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #6 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #7 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #8 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #9 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #10 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #11 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #12 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa433164 in AcquirePixelCache cache.c:195:28
    #4 0x7ff3fa4344e5 in ClonePixelCache cache.c:418:28
    #5 0x7ff3fa44dd8e in GetImagePixelCache cache.c:1652:29
    #6 0x7ff3fa453029 in SyncImagePixelCache cache.c:5269:28
    #7 0x7ff3fa68bc76 in SetImageStorageClass image.c:2513:10
    #8 0x7ff3fa68c71d in SetImageBackgroundColor image.c:2322:7
    #9 0x7ff3facaef7e in ReadOneLayer xcf.c:917:10
    #10 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #11 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #12 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #13 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #14 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #15 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #16 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #17 0x514a47 in MagickMain magick.c:149:10
    #18 0x5144a1 in main magick.c:180:10
    #19 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa433164 in AcquirePixelCache cache.c:195:28
    #4 0x7ff3fa84abec in ReadStream stream.c:1027:20
    #5 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #6 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #7 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #8 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa71704a in AcquirePixelChannelMap pixel.c:101:35
    #4 0x7ff3fa717224 in ClonePixelChannelMap pixel.c:139:13
    #5 0x7ff3fa68a766 in CloneImage image.c:856:28
    #6 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #7 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #8 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #9 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #10 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #11 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #12 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #13 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 280 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa4118cd in CloneBlobInfo blob.c:504:27
    #3 0x7ff3fa68ac1f in CloneImage image.c:874:25
    #4 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #5 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #6 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #7 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #8 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #9 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #10 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #11 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #12 0x514a47 in MagickMain magick.c:149:10
    #13 0x5144a1 in main magick.c:180:10
    #14 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa433c24 in AcquirePixelCacheNexus cache.c:268:31
    #4 0x7ff3fa433684 in AcquirePixelCache cache.c:211:26
    #5 0x7ff3fa84abec in ReadStream stream.c:1027:20
    #6 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #7 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #8 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #9 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #10 0x514a47 in MagickMain magick.c:149:10
    #11 0x5144a1 in main magick.c:180:10
    #12 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa82aee5 in NewSplayTree splay-tree.c:1106:32
    #3 0x7ff3fa7633aa in SetImageProperty property.c:4022:23
    #4 0x7ff3facaf5c4 in InitXCFImage xcf.c:773:10
    #5 0x7ff3facaef94 in ReadOneLayer xcf.c:919:3
    #6 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #7 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #8 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #9 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #10 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #11 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #12 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa433c24 in AcquirePixelCacheNexus cache.c:268:31
    #4 0x7ff3fa433684 in AcquirePixelCache cache.c:211:26
    #5 0x7ff3fa4344e5 in ClonePixelCache cache.c:418:28
    #6 0x7ff3fa44dd8e in GetImagePixelCache cache.c:1652:29
    #7 0x7ff3fa453029 in SyncImagePixelCache cache.c:5269:28
    #8 0x7ff3fa68bc76 in SetImageStorageClass image.c:2513:10
    #9 0x7ff3fa68c71d in SetImageBackgroundColor image.c:2322:7
    #10 0x7ff3facaef7e in ReadOneLayer xcf.c:917:10
    #11 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #12 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #13 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #14 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #15 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #16 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #17 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #18 0x514a47 in MagickMain magick.c:149:10
    #19 0x5144a1 in main magick.c:180:10
    #20 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa82aee5 in NewSplayTree splay-tree.c:1106:32
    #3 0x7ff3fa82ab14 in CloneSplayTree splay-tree.c:359:14
    #4 0x7ff3fa707ff5 in CloneImageOptions option.c:1880:27
    #5 0x7ff3fa6925c4 in CloneImageInfo image.c:1007:10
    #6 0x7ff3fa68a38c in CloneImage image.c:845:27
    #7 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #8 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #9 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #10 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #11 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #12 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #13 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #14 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #15 0x514a47 in MagickMain magick.c:149:10
    #16 0x5144a1 in main magick.c:180:10
    #17 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa82b266 in NewSplayTree splay-tree.c:1119:25
    #4 0x7ff3fa82ab14 in CloneSplayTree splay-tree.c:359:14
    #5 0x7ff3fa707ff5 in CloneImageOptions option.c:1880:27
    #6 0x7ff3fa6925c4 in CloneImageInfo image.c:1007:10
    #7 0x7ff3fa68a38c in CloneImage image.c:845:27
    #8 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #9 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #10 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #11 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #12 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #13 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #14 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #15 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #16 0x514a47 in MagickMain magick.c:149:10
    #17 0x5144a1 in main magick.c:180:10
    #18 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa4339d2 in AcquirePixelCache cache.c:228:30
    #4 0x7ff3fa84abec in ReadStream stream.c:1027:20
    #5 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #6 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #7 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #8 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa4126c7 in GetBlobInfo blob.c:1414:24
    #4 0x7ff3fa4119bc in CloneBlobInfo blob.c:507:3
    #5 0x7ff3fa68ac1f in CloneImage image.c:874:25
    #6 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #7 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #8 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #9 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #10 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #11 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #12 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #13 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa433943 in AcquirePixelCache cache.c:226:25
    #4 0x7ff3fa84abec in ReadStream stream.c:1027:20
    #5 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #6 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #7 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #8 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa6d73a2 in AcquireAlignedMemory memory.c:262:7
    #2 0x7ff3fa433b2e in AcquirePixelCacheNexus cache.c:264:29
    #3 0x7ff3fa433684 in AcquirePixelCache cache.c:211:26
    #4 0x7ff3fa84abec in ReadStream stream.c:1027:20
    #5 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #6 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #7 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #8 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #9 0x514a47 in MagickMain magick.c:149:10
    #10 0x5144a1 in main magick.c:180:10
    #11 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa82b266 in NewSplayTree splay-tree.c:1119:25
    #4 0x7ff3fa7633aa in SetImageProperty property.c:4022:23
    #5 0x7ff3facaf5c4 in InitXCFImage xcf.c:773:10
    #6 0x7ff3facaef94 in ReadOneLayer xcf.c:919:3
    #7 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #8 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #9 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #10 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #11 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #12 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #13 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa4339d2 in AcquirePixelCache cache.c:228:30
    #4 0x7ff3fa4344e5 in ClonePixelCache cache.c:418:28
    #5 0x7ff3fa44dd8e in GetImagePixelCache cache.c:1652:29
    #6 0x7ff3fa453029 in SyncImagePixelCache cache.c:5269:28
    #7 0x7ff3fa68bc76 in SetImageStorageClass image.c:2513:10
    #8 0x7ff3fa68c71d in SetImageBackgroundColor image.c:2322:7
    #9 0x7ff3facaef7e in ReadOneLayer xcf.c:917:10
    #10 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #11 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #12 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #13 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #14 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #15 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #16 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #17 0x514a47 in MagickMain magick.c:149:10
    #18 0x5144a1 in main magick.c:180:10
    #19 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa433943 in AcquirePixelCache cache.c:226:25
    #4 0x7ff3fa4344e5 in ClonePixelCache cache.c:418:28
    #5 0x7ff3fa44dd8e in GetImagePixelCache cache.c:1652:29
    #6 0x7ff3fa453029 in SyncImagePixelCache cache.c:5269:28
    #7 0x7ff3fa68bc76 in SetImageStorageClass image.c:2513:10
    #8 0x7ff3fa68c71d in SetImageBackgroundColor image.c:2322:7
    #9 0x7ff3facaef7e in ReadOneLayer xcf.c:917:10
    #10 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #11 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #12 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #13 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #14 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #15 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #16 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #17 0x514a47 in MagickMain magick.c:149:10
    #18 0x5144a1 in main magick.c:180:10
    #19 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa6d73a2 in AcquireAlignedMemory memory.c:262:7
    #2 0x7ff3fa433b2e in AcquirePixelCacheNexus cache.c:264:29
    #3 0x7ff3fa433684 in AcquirePixelCache cache.c:211:26
    #4 0x7ff3fa4344e5 in ClonePixelCache cache.c:418:28
    #5 0x7ff3fa44dd8e in GetImagePixelCache cache.c:1652:29
    #6 0x7ff3fa453029 in SyncImagePixelCache cache.c:5269:28
    #7 0x7ff3fa68bc76 in SetImageStorageClass image.c:2513:10
    #8 0x7ff3fa68c71d in SetImageBackgroundColor image.c:2322:7
    #9 0x7ff3facaef7e in ReadOneLayer xcf.c:917:10
    #10 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #11 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #12 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #13 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #14 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #15 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #16 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #17 0x514a47 in MagickMain magick.c:149:10
    #18 0x5144a1 in main magick.c:180:10
    #19 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4dfa25 in posix_memalign asan_malloc_linux.cc:142
    #1 0x7ff3fa8151c8 in AcquireSemaphoreMemory semaphore.c:154:7
    #2 0x7ff3fa814a3c in AcquireSemaphoreInfo semaphore.c:200:36
    #3 0x7ff3fa68adb6 in CloneImage image.c:878:26
    #4 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #5 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #6 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #7 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #8 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #9 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #10 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #11 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #12 0x514a47 in MagickMain magick.c:149:10
    #13 0x5144a1 in main magick.c:180:10
    #14 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa829e70 in AddValueToSplayTree splay-tree.c:188:21
    #3 0x7ff3fa764e53 in SetImageProperty property.c:4462:10
    #4 0x7ff3facaf5c4 in InitXCFImage xcf.c:773:10
    #5 0x7ff3facaef94 in ReadOneLayer xcf.c:919:3
    #6 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #7 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #8 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #9 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #10 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #11 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #12 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #13 0x514a47 in MagickMain magick.c:149:10
    #14 0x5144a1 in main magick.c:180:10
    #15 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa829e70 in AddValueToSplayTree splay-tree.c:188:21
    #3 0x7ff3fa82ad1c in CloneSplayTree splay-tree.c:371:12
    #4 0x7ff3fa707ff5 in CloneImageOptions option.c:1880:27
    #5 0x7ff3fa6925c4 in CloneImageInfo image.c:1007:10
    #6 0x7ff3fa68a38c in CloneImage image.c:845:27
    #7 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #8 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #9 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #10 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #11 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #12 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #13 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #14 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #15 0x514a47 in MagickMain magick.c:149:10
    #16 0x5144a1 in main magick.c:180:10
    #17 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 15 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa860653 in ConstantString string.c:701:26
    #4 0x7ff3fa82ad06 in CloneSplayTree splay-tree.c:372:7
    #5 0x7ff3fa707ff5 in CloneImageOptions option.c:1880:27
    #6 0x7ff3fa6925c4 in CloneImageInfo image.c:1007:10
    #7 0x7ff3fa68a38c in CloneImage image.c:845:27
    #8 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #9 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #10 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #11 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #12 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #13 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #14 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #15 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #16 0x514a47 in MagickMain magick.c:149:10
    #17 0x5144a1 in main magick.c:180:10
    #18 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa860653 in ConstantString string.c:701:26
    #4 0x7ff3fa82ac81 in CloneSplayTree splay-tree.c:371:43
    #5 0x7ff3fa707ff5 in CloneImageOptions option.c:1880:27
    #6 0x7ff3fa6925c4 in CloneImageInfo image.c:1007:10
    #7 0x7ff3fa68a38c in CloneImage image.c:845:27
    #8 0x7ff3facaedcc in ReadOneLayer xcf.c:910:19
    #9 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #10 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #11 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #12 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #13 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #14 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #15 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #16 0x514a47 in MagickMain magick.c:149:10
    #17 0x5144a1 in main magick.c:180:10
    #18 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 6 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa860653 in ConstantString string.c:701:26
    #4 0x7ff3fa764e33 in SetImageProperty property.c:4463:5
    #5 0x7ff3facaf5c4 in InitXCFImage xcf.c:773:10
    #6 0x7ff3facaef94 in ReadOneLayer xcf.c:919:3
    #7 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #8 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #9 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #10 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #11 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #12 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #13 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

Indirect leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x4deec6 in __interceptor_malloc asan_malloc_linux.cc:66
    #1 0x7ff3fa6d7566 in AcquireMagickMemory memory.c:464:10
    #2 0x7ff3fa6d75c8 in AcquireQuantumMemory memory.c:537:10
    #3 0x7ff3fa860653 in ConstantString string.c:701:26
    #4 0x7ff3fa764e43 in SetImageProperty property.c:4463:30
    #5 0x7ff3facaf5c4 in InitXCFImage xcf.c:773:10
    #6 0x7ff3facaef94 in ReadOneLayer xcf.c:919:3
    #7 0x7ff3facad5fe in ReadXCFImage xcf.c:1331:16
    #8 0x7ff3fa4b1a68 in ReadImage constitute.c:497:13
    #9 0x7ff3fa84af59 in ReadStream stream.c:1045:9
    #10 0x7ff3fa4b060f in PingImage constitute.c:226:9
    #11 0x7ff3fa4b0db3 in PingImages constitute.c:327:10
    #12 0x7ff3f9beb596 in IdentifyImageCommand identify.c:319:18
    #13 0x7ff3f9ca92af in MagickCommandGenesis mogrify.c:183:14
    #14 0x514a47 in MagickMain magick.c:149:10
    #15 0x5144a1 in main magick.c:180:10
    #16 0x7ff3f3bf2f44 in __libc_start_main (libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: 545223851 byte(s) leaked in 27 allocation(s).

POC: https://github.com/jgj212/poc/blob/master/leak-ReadXCFImage
Credit: ADLab of Venustech

@mikayla-grace

This comment has been minimized.

Copy link

commented Aug 7, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Its likely that the patch for #656 also fixed this issue.

@dlemstra dlemstra added the bug label Aug 7, 2017

@dlemstra dlemstra closed this Aug 7, 2017

@nohmask

This comment has been minimized.

Copy link

commented Sep 13, 2017

This was assigned CVE-2017-14343.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.