Skip to content

memory exhaustion in ReadWPGImage #650

Closed
@jgj212

Description

@jgj212

Version: ImageMagick 7.0.6-6 Q16 x86_64

A memory exhaustion vulnerability was found in function ReadWPGImage, which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE

==14664==WARNING: AddressSanitizer failed to allocate 0xb000000000058 bytes
    #0 0x4e951f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) asan_rtl.cc:69
    #1 0x500dd5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) sanitizer_termination.cc:79
    #2 0x4edac2 in __sanitizer::ReportAllocatorCannotReturnNull(bool) sanitizer_allocator.cc:221
    #3 0x426a5f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::ReturnNullOrDieOnBadRequest() sanitizer_allocator_combined.h:88
    #4 0x426a5f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) asan_allocator.cc:398
    #5 0x4def59 in __interceptor_malloc asan_malloc_linux.cc:67
    #6 0x7fed78eb8566 in AcquireMagickMemory memory.c:464:10
    #7 0x7fed78eb85c8 in AcquireQuantumMemory memory.c:537:10
    #8 0x7fed78c57d9c in AcquireImageColormap colormap.c:119:35
    #9 0x7fed7947cf78 in ReadWPGImage wpg.c:1131:24
    #10 0x7fed78c92a68 in ReadImage constitute.c:497:13
    #11 0x7fed7902bf59 in ReadStream stream.c:1045:9
    #12 0x7fed78c9160f in PingImage constitute.c:226:9
    #13 0x7fed78c91db3 in PingImages constitute.c:327:10
    #14 0x7fed783cc596 in IdentifyImageCommand identify.c:319:18
    #15 0x7fed7848a2af in MagickCommandGenesis mogrify.c:183:14
    #16 0x514a47 in MagickMain magick.c:149:10
    #17 0x5144a1 in main magick.c:180:10
    #18 0x7fed723d3f44 in __libc_start_main (libc.so.6+0x21f44)
    #19 0x41b4fb in _start (lt-magick+0x41b4fb)

POC: https://github.com/jgj212/poc/blob/master/oom-ReadWPGImage
Credit: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions