New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadMATImage #691

Closed
bestshow opened this Issue Aug 22, 2017 · 2 comments

Comments

Projects
None yet
5 participants
@bestshow

bestshow commented Aug 22, 2017

Version: ImageMagick 7.0.6-10 Q16

A memory leak vulnerability was found in function ReadMATImage in coders/mat.c ,which allow attackers to cause a denial of service via a crafted file.

#./identify $FILE
=================================================================
==14649==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x52811b in AcquireImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:169:19
    #2 0x8daaf3 in decompress_block /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
    #3 0x8daaf3 in ReadMATImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:966
    #4 0xdf94bc in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #5 0x1330131 in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #6 0xdf814d in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #7 0x16753bd in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #8 0x174c0ec in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #9 0x522b1d in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #10 0x522b1d in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #11 0x7fe88b6f9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x52c765 in AcquireImageInfo /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:347:28
    #2 0x529301 in AcquireImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/image.c:290:10
    #3 0x8daaf3 in decompress_block /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:570:17
    #4 0x8daaf3 in ReadMATImage /home/test/Downloads/IM-afl/ImageMagick-master/coders/mat.c:966
    #5 0xdf94bc in ReadImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:497:13
    #6 0x1330131 in ReadStream /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/stream.c:1045:9
    #7 0xdf814d in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #8 0x16753bd in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #9 0x174c0ec in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #10 0x522b1d in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #11 0x522b1d in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #12 0x7fe88b6f9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4ec5a6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0xd59792 in AcquirePixelCache /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/cache.c:195:28
    #2 0xdf814d in PingImage /home/test/Downloads/IM-afl/ImageMagick-master/MagickCore/constitute.c:226:9
    #3 0x16753bd in IdentifyImageCommand /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/identify.c:319:18
    #4 0x174c0ec in MagickCommandGenesis /home/test/Downloads/IM-afl/ImageMagick-master/MagickWand/mogrify.c:183:14
    #5 0x522b1d in MagickMain /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:149:10
    #6 0x522b1d in main /home/test/Downloads/IM-afl/ImageMagick-master/utilities/magick.c:180
    #7 0x7fe88b6f9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

......

46451 byte(s) leaked in 21 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory_leak_in_ReadMATImage966.mat
Credit:ADLab of Venustech

urban-warrior pushed a commit that referenced this issue Aug 22, 2017

@mikayla-grace

This comment has been minimized.

Show comment
Hide comment
@mikayla-grace

mikayla-grace Aug 22, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

See #77fcc8d92 and #d3144a8be.

mikayla-grace commented Aug 22, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

See #77fcc8d92 and #d3144a8be.

@dlemstra dlemstra added the bug label Sep 18, 2017

@nohmask

This comment has been minimized.

Show comment
Hide comment
@nohmask

nohmask Jan 15, 2018

This was assigned CVE-2017-18029.

nohmask commented Jan 15, 2018

This was assigned CVE-2017-18029.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment