memory leaks in NewSplayTree

[henices]

$ magick -version
Version: ImageMagick 7.0.7-12 Q16 x86_64 2017-11-21 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib fontconfig freetype jng jpeg lzma pangocairo png tiff x xml zlib

Trigger Command: magick NewSplayTree-memory-leaks /dev/null

=================================================================
==14025==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x7fecee37d850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7feced7923cc in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7feced89c05d in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x7feced89ff85 in NewSplayTree MagickCore/splay-tree.c:1148
    #4 0x7fecedbe4625 in ReadXPMImage coders/xpm.c:365
    #5 0x7feced5c53cf in ReadImage MagickCore/constitute.c:497
    #6 0x7feced5c8298 in ReadImages MagickCore/constitute.c:866
    #7 0x7feced02086a in CLINoImageOperator MagickWand/operation.c:4763
    #8 0x7feced023b72 in CLIOption MagickWand/operation.c:5258
    #9 0x7fecececc5f8 in ProcessCommandOptions MagickWand/magick-cli.c:424
    #10 0x7fecececdea0 in MagickImageCommand MagickWand/magick-cli.c:794
    #11 0x7fececf070e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401a36 in MagickMain utilities/magick.c:149
    #13 0x401ca0 in main utilities/magick.c:180
    #14 0x7fece909c889 in __libc_start_main (/lib64/libc.so.6+0x20889)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fecee37e4a0 in posix_memalign (/lib64/libasan.so.4+0xdf4a0)
    #1 0x7feced8887bd in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7feced8888a7 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7feced8a0176 in NewSplayTree MagickCore/splay-tree.c:1159
    #4 0x7fecedbe4625 in ReadXPMImage coders/xpm.c:365
    #5 0x7feced5c53cf in ReadImage MagickCore/constitute.c:497
    #6 0x7feced5c8298 in ReadImages MagickCore/constitute.c:866
    #7 0x7feced02086a in CLINoImageOperator MagickWand/operation.c:4763
    #8 0x7feced023b72 in CLIOption MagickWand/operation.c:5258
    #9 0x7fecececc5f8 in ProcessCommandOptions MagickWand/magick-cli.c:424
    #10 0x7fecececdea0 in MagickImageCommand MagickWand/magick-cli.c:794
    #11 0x7fececf070e6 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x401a36 in MagickMain utilities/magick.c:149
    #13 0x401ca0 in main utilities/magick.c:180
    #14 0x7fece909c889 in __libc_start_main (/lib64/libc.so.6+0x20889)

SUMMARY: AddressSanitizer: 152 byte(s) leaked in 2 allocation(s).

testcase:
https://github.com/henices/pocs/raw/master/NewSplayTree-memory-leaks

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2017-17882.