New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leak in ReadXPMImage #873

Closed
henices opened this Issue Nov 22, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@henices
Copy link
Contributor

henices commented Nov 22, 2017

$ magick -version
Version: ImageMagick 7.0.7-12 Q16 x86_64 2017-11-21 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib fontconfig freetype jng jpeg lzma pangocairo png tiff x xml zlib

Trigger Command: magick ReadXPMImage-memory-leak /dev/null

magick: image depth not supported `ReadXPMImage-memory-leak' @ error/image.c/SetImageExtent/2558.
==============================================================
==27118==ERROR: LeakSanitizer: detected memory leaks  
Direct leak of 135168 byte(s) in 1 object(s) allocated from:                                   
    #0 0x7f9d85071c40 in realloc (/lib64/libasan.so.4+0xdec40)                                 
    #1 0x7f9d84487446 in ResizeMagickMemory MagickCore/memory.c:1225                           
    #2 0x7f9d844874ca in ResizeQuantumMemory MagickCore/memory.c:1289                          
    #3 0x7f9d848d7c30 in ReadXPMImage coders/xpm.c:315                                         
    #4 0x7f9d842b90f5 in ReadImage MagickCore/constitute.c:497                                 
    #5 0x7f9d842bbfbe in ReadImages MagickCore/constitute.c:866                                
    #6 0x7f9d83d1486a in CLINoImageOperator MagickWand/operation.c:4763                        
    #7 0x7f9d83d17b72 in CLIOption MagickWand/operation.c:5258                                 
    #8 0x7f9d83bc05f8 in ProcessCommandOptions MagickWand/magick-cli.c:424                     
    #9 0x7f9d83bc1ea0 in MagickImageCommand MagickWand/magick-cli.c:794                        
    #10 0x7f9d83bfb0e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x401a36 in MagickMain utilities/magick.c:149                                          
    #12 0x401ca0 in main utilities/magick.c:180
    #13 0x7f9d7fd90889 in __libc_start_main (/lib64/libc.so.6+0x20889)                         
                                                                                               
Direct leak of 88 byte(s) in 1 object(s) allocated from:                                       
    #0 0x7f9d85071850 in malloc (/lib64/libasan.so.4+0xde850)                                  
    #1 0x7f9d844860f2 in AcquireMagickMemory MagickCore/memory.c:464                           
    #2 0x7f9d8458fd6e in AcquireCriticalMemory MagickCore/memory-private.h:57                  
    #3 0x7f9d84593c96 in NewSplayTree MagickCore/splay-tree.c:1148                             
    #4 0x7f9d848d82dd in ReadXPMImage coders/xpm.c:365                                         
    #5 0x7f9d842b90f5 in ReadImage MagickCore/constitute.c:497                                 
    #6 0x7f9d842bbfbe in ReadImages MagickCore/constitute.c:866                                
    #7 0x7f9d83d1486a in CLINoImageOperator MagickWand/operation.c:4763                        
    #8 0x7f9d83d17b72 in CLIOption MagickWand/operation.c:5258                                 
    #9 0x7f9d83bc05f8 in ProcessCommandOptions MagickWand/magick-cli.c:424                     
    #10 0x7f9d83bc1ea0 in MagickImageCommand MagickWand/magick-cli.c:794                       
    #11 0x7f9d83bfb0e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401a36 in MagickMain utilities/magick.c:149                                          
    #13 0x401ca0 in main utilities/magick.c:180
    #14 0x7f9d7fd90889 in __libc_start_main (/lib64/libc.so.6+0x20889)     

Indirect leak of 6912 byte(s) in 216 object(s) allocated from:
    #0 0x7f9d85071850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7f9d844860f2 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f9d845902a7 in AddValueToSplayTree MagickCore/splay-tree.c:189
    #3 0x7f9d848d84ce in ReadXPMImage coders/xpm.c:382
    #4 0x7f9d842b90f5 in ReadImage MagickCore/constitute.c:497
    #5 0x7f9d842bbfbe in ReadImages MagickCore/constitute.c:866
    #6 0x7f9d83d1486a in CLINoImageOperator MagickWand/operation.c:4763
    #7 0x7f9d83d17b72 in CLIOption MagickWand/operation.c:5258
    #8 0x7f9d83bc05f8 in ProcessCommandOptions MagickWand/magick-cli.c:424
    #9 0x7f9d83bc1ea0 in MagickImageCommand MagickWand/magick-cli.c:794
    #10 0x7f9d83bfb0e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x401a36 in MagickMain utilities/magick.c:149
    #12 0x401ca0 in main utilities/magick.c:180
    #13 0x7f9d7fd90889 in __libc_start_main (/lib64/libc.so.6+0x20889)

Indirect leak of 648 byte(s) in 216 object(s) allocated from:
    #0 0x7f9d85071850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7f9d844860f2 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7f9d84486146 in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x7f9d845bacf4 in ConstantString MagickCore/string.c:700
    #4 0x7f9d848d84b6 in ReadXPMImage coders/xpm.c:382
    #5 0x7f9d842b90f5 in ReadImage MagickCore/constitute.c:497
    #6 0x7f9d842bbfbe in ReadImages MagickCore/constitute.c:866
    #7 0x7f9d83d1486a in CLINoImageOperator MagickWand/operation.c:4763
    #8 0x7f9d83d17b72 in CLIOption MagickWand/operation.c:5258
    #9 0x7f9d83bc05f8 in ProcessCommandOptions MagickWand/magick-cli.c:424
    #10 0x7f9d83bc1ea0 in MagickImageCommand MagickWand/magick-cli.c:794
    #11 0x7f9d83bfb0e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401a36 in MagickMain utilities/magick.c:149
    #13 0x401ca0 in main utilities/magick.c:180
    #14 0x7f9d7fd90889 in __libc_start_main (/lib64/libc.so.6+0x20889)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f9d850724a0 in posix_memalign (/lib64/libasan.so.4+0xdf4a0)
    #1 0x7f9d8457c4ce in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7f9d8457c5b8 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7f9d84593e87 in NewSplayTree MagickCore/splay-tree.c:1159
    #4 0x7f9d848d82dd in ReadXPMImage coders/xpm.c:365
    #5 0x7f9d842b90f5 in ReadImage MagickCore/constitute.c:497
    #6 0x7f9d842bbfbe in ReadImages MagickCore/constitute.c:866
    #7 0x7f9d83d1486a in CLINoImageOperator MagickWand/operation.c:4763
    #8 0x7f9d83d17b72 in CLIOption MagickWand/operation.c:5258
    #9 0x7f9d83bc05f8 in ProcessCommandOptions MagickWand/magick-cli.c:424
    #10 0x7f9d83bc1ea0 in MagickImageCommand MagickWand/magick-cli.c:794
    #11 0x7f9d83bfb0e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401a36 in MagickMain utilities/magick.c:149
    #13 0x401ca0 in main utilities/magick.c:180
    #14 0x7f9d7fd90889 in __libc_start_main (/lib64/libc.so.6+0x20889)

SUMMARY: AddressSanitizer: 142880 byte(s) leaked in 435 allocation(s).

testcase:
https://github.com/henices/pocs/raw/master/ReadXPMImage-memory-leak

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

@henices henices changed the title memory leak in ReadXPMImage-memory memory leak in ReadXPMImage Nov 22, 2017

urban-warrior pushed a commit that referenced this issue Nov 22, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Nov 22, 2017

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Nov 22, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Nov 22, 2017

@dlemstra dlemstra closed this Nov 22, 2017

@nohmask

This comment has been minimized.

Copy link

nohmask commented Dec 15, 2017

This was assigned CVE-2017-17680.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment