Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory leak in ReadMATImage coders/mat.c:962 #740

Closed
jerryl3e opened this issue Sep 8, 2017 · 2 comments
Closed

memory leak in ReadMATImage coders/mat.c:962 #740

jerryl3e opened this issue Sep 8, 2017 · 2 comments
Labels
bug

Comments

@jerryl3e
Copy link

jerryl3e commented Sep 8, 2017
edited
Loading

version:
ImageMagick 7.0.7-1 Q16 x86_64
gcc 7.1

crash link :
https://raw.githubusercontent.com/jerryl3e/poc/master/im_poc_1504844768.mat

trigger command :
./magick convert im_poc_1504844768.mat /dev/null

detail :


root@work:/home/work/fuzzing/ImageMagick-7.0.7-1/utilities# ./magick im_poc_1504844768.mat /dev/null
lt-magick: multi-dimensional matrices are not supported `im_poc_1504844768.mat' @ error/mat.c/ReadMATImage/1002.

=================================================================
==129199==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7f8353fda920 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920)
    #1 0x7f835365c336 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f835361997f in AcquireImageInfo MagickCore/image.c:347
    #3 0x7f835361cb9a in CloneImageInfo MagickCore/image.c:952
    #4 0x7f8353895594 in ReadMATImage coders/mat.c:962
    #5 0x7f83534ef6b0 in ReadImage MagickCore/constitute.c:497
    #6 0x7f83534f2597 in ReadImages MagickCore/constitute.c:866
    #7 0x7f8352fd81fa in CLINoImageOperator MagickWand/operation.c:4760
    #8 0x7f8352fdb518 in CLIOption MagickWand/operation.c:5255
    #9 0x7f8352e83cba in ProcessCommandOptions MagickWand/magick-cli.c:424
    #10 0x7f8352e85562 in MagickImageCommand MagickWand/magick-cli.c:794
    #11 0x7f8352ebeacd in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401a25 in MagickMain utilities/magick.c:149
    #13 0x401c9e in main utilities/magick.c:180
    #14 0x7f83524ea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x7f8353fda920 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920)
    #1 0x7f835365c336 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f83537691e4 in NewSplayTree MagickCore/splay-tree.c:1106
    #3 0x7f8353766572 in CloneSplayTree MagickCore/splay-tree.c:359
    #4 0x7f8353681e2a in CloneImageOptions MagickCore/option.c:1883
    #5 0x7f835361e18d in CloneImageInfo MagickCore/image.c:1007
    #6 0x7f8353895594 in ReadMATImage coders/mat.c:962
    #7 0x7f83534ef6b0 in ReadImage MagickCore/constitute.c:497
    #8 0x7f83534f2597 in ReadImages MagickCore/constitute.c:866
    #9 0x7f8352fd81fa in CLINoImageOperator MagickWand/operation.c:4760
    #10 0x7f8352fdb518 in CLIOption MagickWand/operation.c:5255
    #11 0x7f8352e83cba in ProcessCommandOptions MagickWand/magick-cli.c:424
    #12 0x7f8352e85562 in MagickImageCommand MagickWand/magick-cli.c:794
    #13 0x7f8352ebeacd in MagickCommandGenesis MagickWand/mogrify.c:183
    #14 0x401a25 in MagickMain utilities/magick.c:149
    #15 0x401c9e in main utilities/magick.c:180
    #16 0x7f83524ea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f8353fdb570 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf570)
    #1 0x7f8353752634 in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7f835375271c in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7f83537694b1 in NewSplayTree MagickCore/splay-tree.c:1119
    #4 0x7f8353766572 in CloneSplayTree MagickCore/splay-tree.c:359
    #5 0x7f8353681e2a in CloneImageOptions MagickCore/option.c:1883
    #6 0x7f835361e18d in CloneImageInfo MagickCore/image.c:1007
    #7 0x7f8353895594 in ReadMATImage coders/mat.c:962
    #8 0x7f83534ef6b0 in ReadImage MagickCore/constitute.c:497
    #9 0x7f83534f2597 in ReadImages MagickCore/constitute.c:866
    #10 0x7f8352fd81fa in CLINoImageOperator MagickWand/operation.c:4760
    #11 0x7f8352fdb518 in CLIOption MagickWand/operation.c:5255
    #12 0x7f8352e83cba in ProcessCommandOptions MagickWand/magick-cli.c:424
    #13 0x7f8352e85562 in MagickImageCommand MagickWand/magick-cli.c:794
    #14 0x7f8352ebeacd in MagickCommandGenesis MagickWand/mogrify.c:183
    #15 0x401a25 in MagickMain utilities/magick.c:149
    #16 0x401c9e in main utilities/magick.c:180
    #17 0x7f83524ea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x7f8353fda920 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920)
    #1 0x7f835365c336 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f83537659c9 in AddValueToSplayTree MagickCore/splay-tree.c:188
    #3 0x7f83537666fb in CloneSplayTree MagickCore/splay-tree.c:371
    #4 0x7f8353681e2a in CloneImageOptions MagickCore/option.c:1883
    #5 0x7f835361e18d in CloneImageInfo MagickCore/image.c:1007
    #6 0x7f8353895594 in ReadMATImage coders/mat.c:962
    #7 0x7f83534ef6b0 in ReadImage MagickCore/constitute.c:497
    #8 0x7f83534f2597 in ReadImages MagickCore/constitute.c:866
    #9 0x7f8352fd81fa in CLINoImageOperator MagickWand/operation.c:4760
    #10 0x7f8352fdb518 in CLIOption MagickWand/operation.c:5255
    #11 0x7f8352e83cba in ProcessCommandOptions MagickWand/magick-cli.c:424
    #12 0x7f8352e85562 in MagickImageCommand MagickWand/magick-cli.c:794
    #13 0x7f8352ebeacd in MagickCommandGenesis MagickWand/mogrify.c:183
    #14 0x401a25 in MagickMain utilities/magick.c:149
    #15 0x401c9e in main utilities/magick.c:180
    #16 0x7f83524ea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 22 byte(s) in 1 object(s) allocated from:
    #0 0x7f8353fda920 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920)
    #1 0x7f835365c336 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f835365c38a in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7f835378fe89 in ConstantString MagickCore/string.c:701
    #4 0x7f835376668f in CloneSplayTree MagickCore/splay-tree.c:372
    #5 0x7f8353681e2a in CloneImageOptions MagickCore/option.c:1883
    #6 0x7f835361e18d in CloneImageInfo MagickCore/image.c:1007
    #7 0x7f8353895594 in ReadMATImage coders/mat.c:962
    #8 0x7f83534ef6b0 in ReadImage MagickCore/constitute.c:497
    #9 0x7f83534f2597 in ReadImages MagickCore/constitute.c:866
    #10 0x7f8352fd81fa in CLINoImageOperator MagickWand/operation.c:4760
    #11 0x7f8352fdb518 in CLIOption MagickWand/operation.c:5255
    #12 0x7f8352e83cba in ProcessCommandOptions MagickWand/magick-cli.c:424
    #13 0x7f8352e85562 in MagickImageCommand MagickWand/magick-cli.c:794
    #14 0x7f8352ebeacd in MagickCommandGenesis MagickWand/mogrify.c:183
    #15 0x401a25 in MagickMain utilities/magick.c:149
    #16 0x401c9e in main utilities/magick.c:180
    #17 0x7f83524ea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x7f8353fda920 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920)
    #1 0x7f835365c336 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f835365c38a in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7f835378fe89 in ConstantString MagickCore/string.c:701
    #4 0x7f83537666e6 in CloneSplayTree MagickCore/splay-tree.c:371
    #5 0x7f8353681e2a in CloneImageOptions MagickCore/option.c:1883
    #6 0x7f835361e18d in CloneImageInfo MagickCore/image.c:1007
    #7 0x7f8353895594 in ReadMATImage coders/mat.c:962
    #8 0x7f83534ef6b0 in ReadImage MagickCore/constitute.c:497
    #9 0x7f83534f2597 in ReadImages MagickCore/constitute.c:866
    #10 0x7f8352fd81fa in CLINoImageOperator MagickWand/operation.c:4760
    #11 0x7f8352fdb518 in CLIOption MagickWand/operation.c:5255
    #12 0x7f8352e83cba in ProcessCommandOptions MagickWand/magick-cli.c:424
    #13 0x7f8352e85562 in MagickImageCommand MagickWand/magick-cli.c:794
    #14 0x7f8352ebeacd in MagickCommandGenesis MagickWand/mogrify.c:183
    #15 0x401a25 in MagickMain utilities/magick.c:149
    #16 0x401c9e in main utilities/magick.c:180
    #17 0x7f83524ea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 13239 byte(s) leaked in 6 allocation(s).

Credit:Baidu Security Lab
urban-warrior pushed a commit that referenced this issue Sep 8, 2017
https://github.com/ImageMagick/ImageMagick/issues/740
dfefe8d
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

urban-warrior pushed a commit that referenced this issue Sep 8, 2017
https://github.com/ImageMagick/ImageMagick/issues/740
a542c9f
@fgeek
Copy link

fgeek commented Sep 12, 2017

Please use CVE-2017-14326 for this issue.

@dlemstra dlemstra added the bug label Sep 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fgeek @jerryl3e @dlemstra @mikayla-grace