Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory leaks in MSLPushImage #920

Closed
just0day opened this issue Dec 26, 2017 · 2 comments
Closed

memory leaks in MSLPushImage #920

just0day opened this issue Dec 26, 2017 · 2 comments
Labels
bug

Comments

@just0day
Copy link

just0day commented Dec 26, 2017
edited
Loading

Version: ImageMagick 7.0.7-17 Q16 x86_64 2017-12-26 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib

magick convert Memory-Leak-MSLPushImage 1.msl

convert: UnableToOpenConfigureFile `magic.xml' @ warning/configure.c/GetConfigureOptions/714.
convert: UnableToOpenConfigureFile `type.xml' @ warning/configure.c/GetConfigureOptions/714.
convert: UnableToReadFont `Memory-Leak-MSLPushImage' @ error/annotate.c/RenderFreetype/1388.
convert: NonconformingDrawingPrimitiveDefinition `text' @ error/draw.c/DrawImage/3282.
convert: UnableToOpenConfigureFile `delegates.xml' @ warning/configure.c/GetConfigureOptions/714.

=================================================================
==23783==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x414423 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x418140 in CloneImage MagickCore/image.c:826
    #4 0x5dec13 in MSLPushImage coders/msl.c:579
    #5 0x60b78c in ProcessMSLScript coders/msl.c:7855
    #6 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #7 0x82822e in WriteImage MagickCore/constitute.c:1183
    #8 0x82894f in WriteImages MagickCore/constitute.c:1333
    #9 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x40fdfc in MagickMain utilities/magick.c:149
    #12 0x40ffdd in main utilities/magick.c:180
    #13 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 13488 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x414423 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x4149a0 in AcquireImage MagickCore/image.c:170
    #4 0x60b307 in ProcessMSLScript coders/msl.c:7817
    #5 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #6 0x82822e in WriteImage MagickCore/constitute.c:1183
    #7 0x82894f in WriteImages MagickCore/constitute.c:1333
    #8 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x40fdfc in MagickMain utilities/magick.c:149
    #11 0x40ffdd in main utilities/magick.c:180
    #12 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x414423 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x416851 in AcquireImageInfo MagickCore/image.c:346
    #4 0x41976a in CloneImageInfo MagickCore/image.c:947
    #5 0x5de96c in MSLPushImage coders/msl.c:572
    #6 0x60b78c in ProcessMSLScript coders/msl.c:7855
    #7 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #8 0x82822e in WriteImage MagickCore/constitute.c:1183
    #9 0x82894f in WriteImages MagickCore/constitute.c:1333
    #10 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #11 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40fdfc in MagickMain utilities/magick.c:149
    #13 0x40ffdd in main utilities/magick.c:180
    #14 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 1080 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x8ab595 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x8ab94a in CloneDrawInfo MagickCore/draw.c:251
    #4 0x5dea70 in MSLPushImage coders/msl.c:573
    #5 0x60b78c in ProcessMSLScript coders/msl.c:7855
    #6 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #7 0x82822e in WriteImage MagickCore/constitute.c:1183
    #8 0x82894f in WriteImages MagickCore/constitute.c:1333
    #9 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x40fdfc in MagickMain utilities/magick.c:149
    #12 0x40ffdd in main utilities/magick.c:180
    #13 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 512 byte(s) in 2 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f476ab680b9  (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1d0b9)

Indirect leak of 4608000 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c604076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x440289 in AcquireAlignedMemory MagickCore/memory.c:262
    #2 0x7d4e8d in OpenPixelCache MagickCore/cache.c:3542
    #3 0x7cda8c in GetImagePixelCache MagickCore/cache.c:1663
    #4 0x7dcd2e in SyncImagePixelCache MagickCore/cache.c:5267
    #5 0x41ffba in SetImageExtent MagickCore/image.c:2559
    #6 0x6d4f71 in ReadTTFImage coders/ttf.c:227
    #7 0x824cc4 in ReadImage MagickCore/constitute.c:497
    #8 0x826dff in ReadImages MagickCore/constitute.c:866
    #9 0xb376c2 in ConvertImageCommand MagickWand/convert.c:641
    #10 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x40fdfc in MagickMain utilities/magick.c:149
    #12 0x40ffdd in main utilities/magick.c:180
    #13 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x414423 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x416851 in AcquireImageInfo MagickCore/image.c:346
    #4 0x41976a in CloneImageInfo MagickCore/image.c:947
    #5 0x426183 in SyncImageSettings MagickCore/image.c:4056
    #6 0x416422 in AcquireImage MagickCore/image.c:289
    #7 0x60b307 in ProcessMSLScript coders/msl.c:7817
    #8 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #9 0x82822e in WriteImage MagickCore/constitute.c:1183
    #10 0x82894f in WriteImages MagickCore/constitute.c:1333
    #11 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #12 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40fdfc in MagickMain utilities/magick.c:149
    #14 0x40ffdd in main utilities/magick.c:180
    #15 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x414423 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x416851 in AcquireImageInfo MagickCore/image.c:346
    #4 0x41976a in CloneImageInfo MagickCore/image.c:947
    #5 0x4186c7 in CloneImage MagickCore/image.c:840
    #6 0x5dec13 in MSLPushImage coders/msl.c:579
    #7 0x60b78c in ProcessMSLScript coders/msl.c:7855
    #8 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #9 0x82822e in WriteImage MagickCore/constitute.c:1183
    #10 0x82894f in WriteImages MagickCore/constitute.c:1333
    #11 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #12 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #13 0x40fdfc in MagickMain utilities/magick.c:149
    #14 0x40ffdd in main utilities/magick.c:180
    #15 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x7c7977 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x7c7a98 in AcquirePixelCache MagickCore/cache.c:192
    #4 0x414fc8 in AcquireImage MagickCore/image.c:205
    #5 0x6d4d9a in ReadTTFImage coders/ttf.c:214
    #6 0x824cc4 in ReadImage MagickCore/constitute.c:497
    #7 0x826dff in ReadImages MagickCore/constitute.c:866
    #8 0xb376c2 in ConvertImageCommand MagickWand/convert.c:641
    #9 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x40fdfc in MagickMain utilities/magick.c:149
    #11 0x40ffdd in main utilities/magick.c:180
    #12 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

......


Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7f476c603602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x44032c in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x440380 in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x4b2cdb in ConstantString MagickCore/string.c:700
    #4 0x49764e in CloneSplayTree MagickCore/splay-tree.c:372
    #5 0x7a8e6b in CloneImageArtifacts MagickCore/artifact.c:118
    #6 0x418735 in CloneImage MagickCore/image.c:843
    #7 0x5dec13 in MSLPushImage coders/msl.c:579
    #8 0x60b78c in ProcessMSLScript coders/msl.c:7855
    #9 0x60d5ec in WriteMSLImage coders/msl.c:8347
    #10 0x82822e in WriteImage MagickCore/constitute.c:1183
    #11 0x82894f in WriteImages MagickCore/constitute.c:1333
    #12 0xbcc473 in ConvertImageCommand MagickWand/convert.c:3280
    #13 0xcb7441 in MagickCommandGenesis MagickWand/mogrify.c:183
    #14 0x40fdfc in MagickMain utilities/magick.c:149
    #15 0x40ffdd in main utilities/magick.c:180
    #16 0x7f4767dfb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 4698557 byte(s) leaked in 53 allocation(s).

testcase:https://github.com/just0day/poc/blob/master/Memory-Leak-MSLPushImage

by future-sec
urban-warrior pushed a commit that referenced this issue Dec 26, 2017
https://github.com/ImageMagick/ImageMagick/issues/920
3755d22
urban-warrior pushed a commit that referenced this issue Dec 26, 2017
https://github.com/ImageMagick/ImageMagick/issues/920
08278c7
@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Dec 26, 2017
@nohmask
Copy link

nohmask commented Jan 5, 2018

This was assigned CVE-2017-17934.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlemstra @nohmask @urban-warrior @just0day