Closed
Description
Version: ImageMagick 7.0.6-10 Q16
A memory leak vulnerability was found in function ReadMATImage in coders/mat.c ,which allow attackers to cause a denial of service via a crafted file.
#./identify $FILE
=================================================================
==14649==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 13488 byte(s) in 1 object(s) allocated from:
#0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x52811b in AcquireImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:169:19
#2 0x8daaf3 in decompress_block /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
#3 0x8daaf3 in ReadMATImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:966
#4 0xdf94bc in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
#5 0x1330131 in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
#6 0xdf814d in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
#7 0x16753bd in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
#8 0x174c0ec in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
#9 0x522b1d in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
#10 0x522b1d in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
#11 0x7fe88b6f9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
#0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x52c765 in AcquireImageInfo /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:347:28
#2 0x529301 in AcquireImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:290:10
#3 0x8daaf3 in decompress_block /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
#4 0x8daaf3 in ReadMATImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:966
#5 0xdf94bc in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
#6 0x1330131 in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
#7 0xdf814d in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
#8 0x16753bd in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
#9 0x174c0ec in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
#10 0x522b1d in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
#11 0x522b1d in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
#12 0x7fe88b6f9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
#0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0xd59792 in AcquirePixelCache /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/cache.c:195:28
#2 0xdf814d in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
#3 0x16753bd in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
#4 0x174c0ec in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
#5 0x522b1d in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
#6 0x522b1d in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
#7 0x7fe88b6f9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
......
46451 byte(s) leaked in 21 allocation(s).
testcase:https://github.com/bestshow/p0cs/blob/master/memory_leak_in_ReadMATImage966.mat
Credit:ADLab of Venustech