memory leak in NewLinkedList

[bestshow]

Version: ImageMagick 7.0.6-8 Q16 x86_64

A memory leak vulnerability was found in function NewLinkedList in MagickCore/linked-list.c ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE
=================================================================
==52771==ERROR: detected memory leaks

Direct leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x552ec8 in NewLinkedList /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/linked-list.c:717:32
    #2 0xdf566c in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #3 0x1329e15 in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #4 0xdf3fc1 in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #5 0x1667f5d in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #6 0x173f51c in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #7 0x522b18 in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #8 0x522b18 in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #9 0x7f4e99093b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 4194 byte(s) in 1 object(s) allocated from:
    #0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x6ac144 in AcquireString /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/string.c:136:24
    #2 0xdf566c in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #3 0x1329e15 in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #4 0xdf3fc1 in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #5 0x1667f5d in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #6 0x173f51c in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #7 0x522b18 in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #8 0x522b18 in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #9 0x7f4e99093b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

......

4330 byte(s) leaked in 4 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory_leak_in_NewLinkedList
Credit:ADLab of Venustech

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[fgeek]

Please use CVE-2017-13131 for this issue.