memory exhaustion in ReadTIFFImage

[whiteHat001]

root@ubuntu:/home/hjy/Desktop# convert oom-ReadTIFFImage /dev/null
==27669==ERROR: AddressSanitizer failed to allocate 0x80002000 (-2147475456) bytes of LargeMmapAllocator: 12
==27669==Process memory map follows:
	0x08048000-0x09714000	/usr/local/bin/magick
	0x09714000-0x09715000	/usr/local/bin/magick
	0x09715000-0x0979f000	/usr/local/bin/magick
	0x0979f000-0x097a3000	
	0x1ffff000-0x24000000	
	0x24000000-0x28000000	
	0x28000000-0x40000000	
	0xb2500000-0xb2600000	
	0xb2700000-0xb2800000	
	0xb2900000-0xb2a00000	
	0xb2b00000-0xb2c00000	
	0xb2d00000-0xb2e00000	
	0xb2f00000-0xb3000000	
	0xb3100000-0xb3200000	
	0xb3300000-0xb3400000	
	0xb3500000-0xb3600000	
	0xb3700000-0xb3800000	
	0xb3900000-0xb3a00000	
	0xb3b00000-0xb3c00000	
	0xb3d00000-0xb3e00000	
	0xb3f00000-0xb4100000	/usr/lib/locale/locale-archive
	0xb4100000-0xb4200000	
	0xb4300000-0xb4400000	
	0xb4500000-0xb4600000	
	0xb4700000-0xb4800000	
	0xb4900000-0xb4a00000	
	0xb4b00000-0xb4c00000	
	0xb4d00000-0xb4e00000	
	0xb4f00000-0xb5000000	
	0xb5100000-0xb5200000	
	0xb5300000-0xb5400000	
	0xb5500000-0xb5600000	
	0xb5700000-0xb5800000	
	0xb5900000-0xb5a00000	
	0xb5ae0000-0xb5c00000	
	0xb5c05000-0xb5c6a000	
	0xb5c6a000-0xb5c6b000	/usr/lib/locale/locale-archive
	0xb5c6b000-0xb6e21000	
	0xb6e21000-0xb6e45000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e45000-0xb6e46000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e46000-0xb6e47000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e47000-0xb6e4a000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4a000-0xb6e4b000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4b000-0xb6e4c000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4c000-0xb6ff5000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff5000-0xb6ff7000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff7000-0xb6ff8000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff8000-0xb6ffb000	
	0xb6ffb000-0xb7013000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7013000-0xb7014000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7014000-0xb7015000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7015000-0xb7017000	
	0xb7017000-0xb7032000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7032000-0xb7033000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7033000-0xb7034000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7034000-0xb7035000	
	0xb7035000-0xb7079000	/lib/i386-linux-gnu/libm-2.19.so
	0xb7079000-0xb707a000	/lib/i386-linux-gnu/libm-2.19.so
	0xb707a000-0xb707b000	/lib/i386-linux-gnu/libm-2.19.so
	0xb707b000-0xb70a9000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70a9000-0xb70aa000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70aa000-0xb70ab000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70ab000-0xb70c3000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c3000-0xb70c4000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c4000-0xb70c5000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c5000-0xb721a000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721a000-0xb721b000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721b000-0xb721f000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721f000-0xb7220000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb7220000-0xb7221000	
	0xb7221000-0xb7247000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7247000-0xb7248000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7248000-0xb7249000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7249000-0xb724a000	
	0xb724a000-0xb7293000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7293000-0xb7294000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7294000-0xb7295000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7295000-0xb72a5000	
	0xb72a5000-0xb7344000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7344000-0xb7346000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7346000-0xb7347000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7347000-0xb77a0000	
	0xb77a0000-0xb77b6000	
	0xb77b6000-0xb77b7000	[vdso]
	0xb77b7000-0xb77d7000	/lib/i386-linux-gnu/ld-2.19.so
	0xb77d7000-0xb77d8000	/lib/i386-linux-gnu/ld-2.19.so
	0xb77d8000-0xb77d9000	/lib/i386-linux-gnu/ld-2.19.so
	0xbfd8c000-0xbfdad000	[stack]
==27669==End of process memory map.
==27669==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:66 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0xb72f94c1 (/usr/lib/i386-linux-gnu/libasan.so.1+0x544c1)
    #1 0xb72fd6a9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.1+0x586a9)
    #2 0xb7302e22 (/usr/lib/i386-linux-gnu/libasan.so.1+0x5de22)
    #3 0xb72bd99b (/usr/lib/i386-linux-gnu/libasan.so.1+0x1899b)
    #4 0xb72be488 (/usr/lib/i386-linux-gnu/libasan.so.1+0x19488)
    #5 0xb72f384a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e84a)
    #6 0x8baef7a in AcquireQuantumPixels MagickCore/quantum.c:175
    #7 0x8baef7a in SetQuantumDepth MagickCore/quantum.c:693
    #8 0x877f852 in ReadTIFFImage coders/tiff.c:1655
    #9 0x88baf5e in ReadImage MagickCore/constitute.c:497
    #10 0x88bea44 in ReadImages MagickCore/constitute.c:866
    #11 0x8ec36d8 in ConvertImageCommand MagickWand/convert.c:641
    #12 0x8fc9e99 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x8077d9a in MagickMain utilities/magick.c:149
    #14 0x80579ca in main utilities/magick.c:180
    #15 0xb6e65a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #16 0x807737a (/usr/local/bin/magick+0x807737a)

POC https://github.com/whiteHat001/FUZZ_POC/blob/master/oom-ReadTIFFImage

[mikayla-grace]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2017-12805.