Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in ReadWPGImage #650

Closed
jgj212 opened this issue Aug 5, 2017 · 3 comments
Closed

memory exhaustion in ReadWPGImage #650

jgj212 opened this issue Aug 5, 2017 · 3 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented Aug 5, 2017

Version: ImageMagick 7.0.6-6 Q16 x86_64

A memory exhaustion vulnerability was found in function ReadWPGImage, which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE

==14664==WARNING: AddressSanitizer failed to allocate 0xb000000000058 bytes
    #0 0x4e951f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) asan_rtl.cc:69
    #1 0x500dd5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) sanitizer_termination.cc:79
    #2 0x4edac2 in __sanitizer::ReportAllocatorCannotReturnNull(bool) sanitizer_allocator.cc:221
    #3 0x426a5f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::ReturnNullOrDieOnBadRequest() sanitizer_allocator_combined.h:88
    #4 0x426a5f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) asan_allocator.cc:398
    #5 0x4def59 in __interceptor_malloc asan_malloc_linux.cc:67
    #6 0x7fed78eb8566 in AcquireMagickMemory memory.c:464:10
    #7 0x7fed78eb85c8 in AcquireQuantumMemory memory.c:537:10
    #8 0x7fed78c57d9c in AcquireImageColormap colormap.c:119:35
    #9 0x7fed7947cf78 in ReadWPGImage wpg.c:1131:24
    #10 0x7fed78c92a68 in ReadImage constitute.c:497:13
    #11 0x7fed7902bf59 in ReadStream stream.c:1045:9
    #12 0x7fed78c9160f in PingImage constitute.c:226:9
    #13 0x7fed78c91db3 in PingImages constitute.c:327:10
    #14 0x7fed783cc596 in IdentifyImageCommand identify.c:319:18
    #15 0x7fed7848a2af in MagickCommandGenesis mogrify.c:183:14
    #16 0x514a47 in MagickMain magick.c:149:10
    #17 0x5144a1 in main magick.c:180:10
    #18 0x7fed723d3f44 in __libc_start_main (libc.so.6+0x21f44)
    #19 0x41b4fb in _start (lt-magick+0x41b4fb)

POC: https://github.com/jgj212/poc/blob/master/oom-ReadWPGImage
Credit: ADLab of Venustech

@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra
Copy link
Member

dlemstra commented Aug 7, 2017

IM7 commit: 4e378ea

@dlemstra dlemstra added the bug label Aug 7, 2017
@dlemstra dlemstra closed this as completed Aug 7, 2017
@nohmask
Copy link

nohmask commented Sep 13, 2017

This was assigned CVE-2017-14342.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants