New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadOneJNGImage #760

Closed
jgj212 opened this Issue Sep 15, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@jgj212
Contributor

jgj212 commented Sep 15, 2017

Here is the critical code:

code1

===============================
    if (memcmp(type,mng_JHDR,4) == 0) 
      {
        if (length == 16) //JHDR len is 16
          {
            jng_width=(png_uint_32)mng_get_long(p);
            jng_height=(png_uint_32)mng_get_long(&p[4]);
            if ((jng_width == 0) || (jng_height == 0))   //4534, forget to free chunk
              ThrowReaderException(CorruptImageError,
                "NegativeOrZeroImageSize");
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before ThrowReaderException

code2

===============================
        if (color_image_info == (ImageInfo *) NULL)   //4607, not free chunk
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before ThrowReaderException

code3

===============================
        if (color_image == (Image *) NULL)  //4613, not free chunk and color_image_info 
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before ThrowReaderException

code4

===============================
        if (status == MagickFalse)
          {
            color_image=DestroyImage(color_image); //4626, not free chunk/color_image_info/color_image 
            return(DestroyImageList(image));
          }
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before return

code5

===============================
            if (alpha_image_info == (ImageInfo *) NULL)
              {
                color_image=DestroyImage(color_image); //4637, not free chunk/color_image_info/color_image 
                ThrowReaderException(ResourceLimitError,
                  "MemoryAllocationFailed");
              }
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before ThrowReaderException

code6

===============================
            if (alpha_image == (Image *) NULL)
              {
                alpha_image_info=DestroyImageInfo(alpha_image_info);
                color_image=DestroyImage(color_image);  //4648, not free chunk/color_image_info
                ThrowReaderException(ResourceLimitError,
                  "MemoryAllocationFailed");
              }
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before ThrowReaderException

code7

===============================
  if (jng_image == (Image *) NULL)  //4946, not free alpha_image/alpha_image_info
    return(DestroyImageList(image));
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);" before return

code8

===============================
  status=SetImageExtent(image,image->columns,image->rows,exception);
  if (status == MagickFalse)
    return(DestroyImageList(image));
===============================fix
add  "DestroyJNG(chunk,&color_image,&color_image_info,&alpha_image,&alpha_image_info);"  and "jng_image= DestroyImage(jng_image);"before return

Credit: ADLab of Venustech

@glennrp

This comment has been minimized.

Show comment
Hide comment
@glennrp

glennrp Sep 15, 2017

Contributor

IM6 commit 698c09d
IM7 commit 6387479

Contributor

glennrp commented Sep 15, 2017

IM6 commit 698c09d
IM7 commit 6387479

@dlemstra

This comment has been minimized.

Show comment
Hide comment
@dlemstra

dlemstra Sep 15, 2017

Member

IM7 commit has not been pushed yet.

Member

dlemstra commented Sep 15, 2017

IM7 commit has not been pushed yet.

@glennrp

This comment has been minimized.

Show comment
Hide comment
@glennrp

glennrp Sep 15, 2017

Contributor

Pushed now.

Contributor

glennrp commented Sep 15, 2017

Pushed now.

@glennrp

This comment has been minimized.

Show comment
Hide comment
@glennrp

glennrp Sep 15, 2017

Contributor

It would be nice to have test cases.

Contributor

glennrp commented Sep 15, 2017

It would be nice to have test cases.

@dlemstra dlemstra added the bug label Sep 22, 2017

@dlemstra dlemstra closed this Sep 22, 2017

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 10, 2017

tez
ImageMagick: update to 7.0.7.7
2017-10-07  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-7, GIT revision 21432:29003eeed:20171007.

2017-10-06  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Correct handling of GIF transparency (reference
    ImageMagick/ImageMagick#831).

2017-10-04  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-6, GIT revision 21426:0a1cb507b:20171004.

2017-10-03  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).
2017-10-02  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).

2017-10-01  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-5, GIT revision 21382:3846f9d97:20171001.

2017-09-28  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).
  * Support URW-base35 fonts.

2017-09-26  7.0.7-5 Glenn Randers-Pehrson <glennrp@image...>
  * Removed "ping_preserve_iCCP=MagickTrue;" statement that was inadvertently
    added to coders/png.c (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32771).

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-4, GIT revision 21265:bdbc14590:20170923.

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-17  7.0.7-3 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-3, GIT revision 21202:6e6907ac7:20170917.

2017-09-17  7.0.7-3 ADLab of Venustech
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-15  7.0.7-3 Glenn Randers-Pehrson <glennrp@image...>
  * Stop potential leaks in the JNG decoder (reference:
    ImageMagick/ImageMagick#760).
  * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum
    valid minute is 59, not 60.
@nohmask

This comment has been minimized.

Show comment
Hide comment
@nohmask

nohmask Oct 11, 2017

This was assigned CVE-2017-15218.

nohmask commented Oct 11, 2017

This was assigned CVE-2017-15218.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 22, 2017

tez
ImageMagick: update to 7.0.7.7
2017-10-07  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-7, GIT revision 21432:29003eeed:20171007.

2017-10-06  7.0.7-7 Cristy  <quetzlzacatenango@image...>
  * Correct handling of GIF transparency (reference
    ImageMagick/ImageMagick#831).

2017-10-04  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-6, GIT revision 21426:0a1cb507b:20171004.

2017-10-03  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).
2017-10-02  7.0.7-6 Cristy  <quetzlzacatenango@image...>
  * Reset the magick_list_initialized boolean when needed (reference
    ImageMagick/ImageMagick#826).

2017-10-01  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-5, GIT revision 21382:3846f9d97:20171001.

2017-09-28  7.0.7-5 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    https://github.com/ImageMagick/ImageMagick/issues).
  * Support URW-base35 fonts.

2017-09-26  7.0.7-5 Glenn Randers-Pehrson <glennrp@image...>
  * Removed "ping_preserve_iCCP=MagickTrue;" statement that was inadvertently
    added to coders/png.c (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32771).

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-4, GIT revision 21265:bdbc14590:20170923.

2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-17  7.0.7-3 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.7-3, GIT revision 21202:6e6907ac7:20170917.

2017-09-17  7.0.7-3 ADLab of Venustech
  * Fixed numerous memory leaks (reference
    ImageMagick/ImageMagick#763).

2017-09-15  7.0.7-3 Glenn Randers-Pehrson <glennrp@image...>
  * Stop potential leaks in the JNG decoder (reference:
    ImageMagick/ImageMagick#760).
  * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum
    valid minute is 59, not 60.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 28, 2017

spz
Pullup ticket #5586 - requested by he
graphics/ImageMagick: security update

Revisions pulled up:
- graphics/ImageMagick/Makefile.common                          1.157
- graphics/ImageMagick/PLIST                                    1.98
- graphics/ImageMagick/distinfo                                 1.173

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tez
   Date:		Tue Oct 10 19:47:50 UTC 2017

   Modified Files:
   	pkgsrc/graphics/ImageMagick: Makefile.common PLIST distinfo

   Log Message:
   ImageMagick: update to 7.0.7.7

   2017-10-07  7.0.7-7 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-7, GIT revision 21432:29003eeed:20171007.

   2017-10-06  7.0.7-7 Cristy  <quetzlzacatenango@image...>
     * Correct handling of GIF transparency (reference
       ImageMagick/ImageMagick#831).

   2017-10-04  7.0.7-6 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-6, GIT revision 21426:0a1cb507b:20171004.

   2017-10-03  7.0.7-6 Cristy  <quetzlzacatenango@image...>
     * Reset the magick_list_initialized boolean when needed (reference
       ImageMagick/ImageMagick#826).
   2017-10-02  7.0.7-6 Cristy  <quetzlzacatenango@image...>
     * Reset the magick_list_initialized boolean when needed (reference
       ImageMagick/ImageMagick#826).

   2017-10-01  7.0.7-5 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-5, GIT revision 21382:3846f9d97:20171001.

   2017-09-28  7.0.7-5 Cristy  <quetzlzacatenango@image...>
     * Fixed numerous memory leaks (reference
       https://github.com/ImageMagick/ImageMagick/issues).
     * Support URW-base35 fonts.

   2017-09-26  7.0.7-5 Glenn Randers-Pehrson <glennrp@image...>
     * Removed "ping_preserve_iCCP=MagickTrue;" statement that was inadvertently
       added to coders/png.c (reference
       http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t2771).

   2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-4, GIT revision 21265:bdbc14590:20170923.

   2017-09-23  7.0.7-4 Cristy  <quetzlzacatenango@image...>
     * Fixed numerous memory leaks (reference
       ImageMagick/ImageMagick#763).

   2017-09-17  7.0.7-3 Cristy  <quetzlzacatenango@image...>
     * Release ImageMagick version 7.0.7-3, GIT revision 21202:6e6907ac7:20170917.

   2017-09-17  7.0.7-3 ADLab of Venustech
     * Fixed numerous memory leaks (reference
       ImageMagick/ImageMagick#763).

   2017-09-15  7.0.7-3 Glenn Randers-Pehrson <glennrp@image...>
     * Stop potential leaks in the JNG decoder (reference:
       ImageMagick/ImageMagick#760).
     * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum
       valid minute is 59, not 60.


   To generate a diff of this commit:
   cvs rdiff -u -r1.156 -r1.157 pkgsrc/graphics/ImageMagick/Makefile.common
   cvs rdiff -u -r1.97 -r1.98 pkgsrc/graphics/ImageMagick/PLIST
   cvs rdiff -u -r1.172 -r1.173 pkgsrc/graphics/ImageMagick/distinfo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment