Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory exhaustion in ReadTIFFImage #664

Closed
whiteHat001 opened this issue Aug 10, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@whiteHat001
Copy link

commented Aug 10, 2017

root@ubuntu:/home/hjy/Desktop# convert oom-ReadTIFFImage /dev/null
==27669==ERROR: AddressSanitizer failed to allocate 0x80002000 (-2147475456) bytes of LargeMmapAllocator: 12
==27669==Process memory map follows:
	0x08048000-0x09714000	/usr/local/bin/magick
	0x09714000-0x09715000	/usr/local/bin/magick
	0x09715000-0x0979f000	/usr/local/bin/magick
	0x0979f000-0x097a3000	
	0x1ffff000-0x24000000	
	0x24000000-0x28000000	
	0x28000000-0x40000000	
	0xb2500000-0xb2600000	
	0xb2700000-0xb2800000	
	0xb2900000-0xb2a00000	
	0xb2b00000-0xb2c00000	
	0xb2d00000-0xb2e00000	
	0xb2f00000-0xb3000000	
	0xb3100000-0xb3200000	
	0xb3300000-0xb3400000	
	0xb3500000-0xb3600000	
	0xb3700000-0xb3800000	
	0xb3900000-0xb3a00000	
	0xb3b00000-0xb3c00000	
	0xb3d00000-0xb3e00000	
	0xb3f00000-0xb4100000	/usr/lib/locale/locale-archive
	0xb4100000-0xb4200000	
	0xb4300000-0xb4400000	
	0xb4500000-0xb4600000	
	0xb4700000-0xb4800000	
	0xb4900000-0xb4a00000	
	0xb4b00000-0xb4c00000	
	0xb4d00000-0xb4e00000	
	0xb4f00000-0xb5000000	
	0xb5100000-0xb5200000	
	0xb5300000-0xb5400000	
	0xb5500000-0xb5600000	
	0xb5700000-0xb5800000	
	0xb5900000-0xb5a00000	
	0xb5ae0000-0xb5c00000	
	0xb5c05000-0xb5c6a000	
	0xb5c6a000-0xb5c6b000	/usr/lib/locale/locale-archive
	0xb5c6b000-0xb6e21000	
	0xb6e21000-0xb6e45000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e45000-0xb6e46000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e46000-0xb6e47000	/lib/i386-linux-gnu/liblzma.so.5.0.0
	0xb6e47000-0xb6e4a000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4a000-0xb6e4b000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4b000-0xb6e4c000	/lib/i386-linux-gnu/libdl-2.19.so
	0xb6e4c000-0xb6ff5000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff5000-0xb6ff7000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff7000-0xb6ff8000	/lib/i386-linux-gnu/libc-2.19.so
	0xb6ff8000-0xb6ffb000	
	0xb6ffb000-0xb7013000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7013000-0xb7014000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7014000-0xb7015000	/lib/i386-linux-gnu/libpthread-2.19.so
	0xb7015000-0xb7017000	
	0xb7017000-0xb7032000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7032000-0xb7033000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7033000-0xb7034000	/lib/i386-linux-gnu/libgcc_s.so.1
	0xb7034000-0xb7035000	
	0xb7035000-0xb7079000	/lib/i386-linux-gnu/libm-2.19.so
	0xb7079000-0xb707a000	/lib/i386-linux-gnu/libm-2.19.so
	0xb707a000-0xb707b000	/lib/i386-linux-gnu/libm-2.19.so
	0xb707b000-0xb70a9000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70a9000-0xb70aa000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70aa000-0xb70ab000	/usr/lib/i386-linux-gnu/libgomp.so.1.0.0
	0xb70ab000-0xb70c3000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c3000-0xb70c4000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c4000-0xb70c5000	/lib/i386-linux-gnu/libz.so.1.2.8
	0xb70c5000-0xb721a000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721a000-0xb721b000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721b000-0xb721f000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb721f000-0xb7220000	/usr/lib/i386-linux-gnu/libxml2.so.2.9.1
	0xb7220000-0xb7221000	
	0xb7221000-0xb7247000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7247000-0xb7248000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7248000-0xb7249000	/lib/i386-linux-gnu/libpng12.so.0.50.0
	0xb7249000-0xb724a000	
	0xb724a000-0xb7293000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7293000-0xb7294000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7294000-0xb7295000	/usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
	0xb7295000-0xb72a5000	
	0xb72a5000-0xb7344000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7344000-0xb7346000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7346000-0xb7347000	/usr/lib/i386-linux-gnu/libasan.so.1.0.0
	0xb7347000-0xb77a0000	
	0xb77a0000-0xb77b6000	
	0xb77b6000-0xb77b7000	[vdso]
	0xb77b7000-0xb77d7000	/lib/i386-linux-gnu/ld-2.19.so
	0xb77d7000-0xb77d8000	/lib/i386-linux-gnu/ld-2.19.so
	0xb77d8000-0xb77d9000	/lib/i386-linux-gnu/ld-2.19.so
	0xbfd8c000-0xbfdad000	[stack]
==27669==End of process memory map.
==27669==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:66 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0xb72f94c1 (/usr/lib/i386-linux-gnu/libasan.so.1+0x544c1)
    #1 0xb72fd6a9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.1+0x586a9)
    #2 0xb7302e22 (/usr/lib/i386-linux-gnu/libasan.so.1+0x5de22)
    #3 0xb72bd99b (/usr/lib/i386-linux-gnu/libasan.so.1+0x1899b)
    #4 0xb72be488 (/usr/lib/i386-linux-gnu/libasan.so.1+0x19488)
    #5 0xb72f384a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e84a)
    #6 0x8baef7a in AcquireQuantumPixels MagickCore/quantum.c:175
    #7 0x8baef7a in SetQuantumDepth MagickCore/quantum.c:693
    #8 0x877f852 in ReadTIFFImage coders/tiff.c:1655
    #9 0x88baf5e in ReadImage MagickCore/constitute.c:497
    #10 0x88bea44 in ReadImages MagickCore/constitute.c:866
    #11 0x8ec36d8 in ConvertImageCommand MagickWand/convert.c:641
    #12 0x8fc9e99 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x8077d9a in MagickMain utilities/magick.c:149
    #14 0x80579ca in main utilities/magick.c:180
    #15 0xb6e65a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #16 0x807737a (/usr/local/bin/magick+0x807737a)

POC https://github.com/whiteHat001/FUZZ_POC/blob/master/oom-ReadTIFFImage

@mikayla-grace

This comment has been minimized.

Copy link

commented Aug 10, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Aug 10, 2017

Cristy

dlemstra pushed a commit that referenced this issue Aug 10, 2017

dlemstra pushed a commit that referenced this issue Aug 10, 2017

Cristy

@dlemstra dlemstra added the bug label Aug 10, 2017

@dlemstra dlemstra closed this Aug 10, 2017

@nohmask

This comment has been minimized.

Copy link

commented May 10, 2019

This was assigned CVE-2017-12805.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.