Closed
Description
Version: ImageMagick 7.0.6-6 Q16 x86_64
A memory exhaustion vulnerability was found in function ReadWPGImage, which allow attackers to cause a denial of service via a crafted file.
#./identify $FILE
==14664==WARNING: AddressSanitizer failed to allocate 0xb000000000058 bytes
#0 0x4e951f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) asan_rtl.cc:69
#1 0x500dd5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) sanitizer_termination.cc:79
#2 0x4edac2 in __sanitizer::ReportAllocatorCannotReturnNull(bool) sanitizer_allocator.cc:221
#3 0x426a5f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::ReturnNullOrDieOnBadRequest() sanitizer_allocator_combined.h:88
#4 0x426a5f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) asan_allocator.cc:398
#5 0x4def59 in __interceptor_malloc asan_malloc_linux.cc:67
#6 0x7fed78eb8566 in AcquireMagickMemory memory.c:464:10
#7 0x7fed78eb85c8 in AcquireQuantumMemory memory.c:537:10
#8 0x7fed78c57d9c in AcquireImageColormap colormap.c:119:35
#9 0x7fed7947cf78 in ReadWPGImage wpg.c:1131:24
#10 0x7fed78c92a68 in ReadImage constitute.c:497:13
#11 0x7fed7902bf59 in ReadStream stream.c:1045:9
#12 0x7fed78c9160f in PingImage constitute.c:226:9
#13 0x7fed78c91db3 in PingImages constitute.c:327:10
#14 0x7fed783cc596 in IdentifyImageCommand identify.c:319:18
#15 0x7fed7848a2af in MagickCommandGenesis mogrify.c:183:14
#16 0x514a47 in MagickMain magick.c:149:10
#17 0x5144a1 in main magick.c:180:10
#18 0x7fed723d3f44 in __libc_start_main (libc.so.6+0x21f44)
#19 0x41b4fb in _start (lt-magick+0x41b4fb)
POC: https://github.com/jgj212/poc/blob/master/oom-ReadWPGImage
Credit: ADLab of Venustech