Skip to content

memory exhaustion in ReadBMPImage in bmp.c:945 #652

Closed
@whiteHat001

Description

@whiteHat001

root@ubuntu:/home/hjy/Desktop# magick --version
Version: ImageMagick 7.0.6-6 Q16 i686 2017-08-05 http://www.imagemagick.org

root@ubuntu:/home/hjy/Desktop# magick convert oom-ReadBMPImage2 test.png
==5856==ERROR: AddressSanitizer failed to allocate 0xa07a4000 (-1602600960) bytes of LargeMmapAllocator: 12
==5856==Process memory map follows:
	0x08048000-0x094d3000	/usr/local/bin/magick
	0x094d3000-0x094d4000	/usr/local/bin/magick
	0x094d4000-0x09555000	/usr/local/bin/magick
	0x09555000-0x09558000	
	0x1ffff000-0x24000000	
	0x24000000-0x28000000	
	0x28000000-0x40000000	
	0xb2d00000-0xb2e00000	
	0xb2f00000-0xb3000000	
	0xb3100000-0xb3200000	
	0xb3300000-0xb3400000	
	0xb3500000-0xb3600000	
	0xb3700000-0xb3800000	
	0xb3900000-0xb3a00000	
	0xb3b00000-0xb3c00000	
	0xb3d00000-0xb3e00000	
	0xb3f00000-0xb4100000	/usr/lib/locale/locale-archive
	0xb4100000-0xb4200000	
	0xb4300000-0xb4400000	
	0xb4500000-0xb4600000	
	0xb4700000-0xb4800000	
	0xb4900000-0xb4a00000	
	0xb4b00000-0xb4c00000	
	0xb4d00000-0xb4e00000	
	0xb4f00000-0xb5000000	
	0xb5100000-0xb5200000	
	0xb5300000-0xb5400000	
	0xb5500000-0xb5600000	
	0xb5700000-0xb5800000	
	0xb5900000-0xb5a00000	
	0xb5ae0000-0xb5c00000	
	0xb5c07000-0xb5c6c000	
	0xb5c6c000-0xb5c6d000	/usr/lib/locale/locale-archive
	0xb5c6d000-0xb6e20000	
	0xb6e20000-0xb6e44000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e44000-0xb6e45000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e45000-0xb6e46000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e46000-0xb6e49000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e49000-0xb6e4a000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4a000-0xb6e4b000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4b000-0xb6ff4000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff4000-0xb6ff6000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff6000-0xb6ff7000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff7000-0xb6ffa000	
	0xb6ffa000-0xb7012000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7012000-0xb7013000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7013000-0xb7014000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7014000-0xb7016000	
	0xb7016000-0xb7031000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7031000-0xb7032000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7032000-0xb7033000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7033000-0xb7034000	
	0xb7034000-0xb7078000	/lib/i386-linux-gnu/libm-2.19.so
	0xb7078000-0xb7079000	/lib/i386-linux-gnu/libm-2.19.so
	0xb7079000-0xb707a000	/lib/i386-linux-gnu/libm-2.19.so
	0xb707a000-0xb70a8000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70a8000-0xb70a9000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70a9000-0xb70aa000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70aa000-0xb70c2000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c2000-0xb70c3000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c3000-0xb70c4000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c4000-0xb7219000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb7219000-0xb721a000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721a000-0xb721e000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721e000-0xb721f000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721f000-0xb7220000	
	0xb7220000-0xb7246000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7246000-0xb7247000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7247000-0xb7248000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7248000-0xb7249000	
	0xb7249000-0xb7292000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7292000-0xb7293000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7293000-0xb7294000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7294000-0xb72a4000	
	0xb72a4000-0xb7343000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7343000-0xb7345000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7345000-0xb7346000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7346000-0xb779f000	
	0xb779f000-0xb77b5000	
	0xb77b5000-0xb77b6000	[vdso]
	0xb77b6000-0xb77d6000	/lib/i386-linux-gnu/ld-2.19.so
	0xb77d6000-0xb77d7000	/lib/i386-linux-gnu/ld-2.19.so
	0xb77d7000-0xb77d8000	/lib/i386-linux-gnu/ld-2.19.so
	0xbfc49000-0xbfc6a000	[stack]
==5856==End of process memory map.
==5856==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:66 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0xb72f84c1 (/usr/lib/i386-linux-gnu/libasan.so.1+0x544c1)
    #1 0xb72fc6a9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.1+0x586a9)
    #2 0xb7301e22 (/usr/lib/i386-linux-gnu/libasan.so.1+0x5de22)
    #3 0xb72bc99b (/usr/lib/i386-linux-gnu/libasan.so.1+0x1899b)
    #4 0xb72bd5e9 (/usr/lib/i386-linux-gnu/libasan.so.1+0x195e9)
    #5 0xb72f2d71 in __interceptor_posix_memalign (/usr/lib/i386-linux-gnu/libasan.so.1+0x4ed71)
    #6 0x80e783b in AcquireAlignedMemory MagickCore/memory.c:262
    #7 0x80e783b in AcquireVirtualMemory MagickCore/memory.c:636
    #8 0x829c509 in ReadBMPImage coders/bmp.c:945
    #9 0x88980c8 in ReadImage MagickCore/constitute.c:497
    #10 0x889bb49 in ReadImages MagickCore/constitute.c:866
    #11 0x8ea0ba0 in ConvertImageCommand MagickWand/convert.c:641
    #12 0x8fa97d1 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x8074e7a in MagickMain utilities/magick.c:149
    #14 0x805572a in main utilities/magick.c:180
    #15 0xb6e64a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #16 0x80744ba (/usr/local/bin/magick+0x80744ba)

POC:https://github.com/whiteHat001/FUZZ_POC/blob/master/oom-ReadBMPImage2

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions