New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leaks in ReadPWPImage #921

Closed
just0day opened this Issue Dec 27, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@just0day

just0day commented Dec 27, 2017

Version: ImageMagick 7.0.7-17 Q16 x86_64 2017-12-27 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib

magick convert Memory-Leak-ReadPWPImage /dev/null

=================================================================
==15572==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 13024 byte(s) in 1 object(s) allocated from:
    #0 0x7f867be93602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440319 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x414423 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x416851 in AcquireImageInfo MagickCore/image.c:346
    #4 0x41976a in CloneImageInfo MagickCore/image.c:947
    #5 0x6891f6 in ReadPWPImage coders/pwp.c:177
    #6 0x824acb in ReadImage MagickCore/constitute.c:497
    #7 0x826c06 in ReadImages MagickCore/constitute.c:866
    #8 0xb3749a in ConvertImageCommand MagickWand/convert.c:641
    #9 0xcb7219 in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x40fdfc in MagickMain utilities/magick.c:149
    #11 0x40ffdd in main utilities/magick.c:180
    #12 0x7f867768b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x7f867be93602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440319 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x496424 in AcquireCriticalMemory MagickCore/memory-private.h:57
    #3 0x49a267 in NewSplayTree MagickCore/splay-tree.c:1148
    #4 0x4974a9 in CloneSplayTree MagickCore/splay-tree.c:360
    #5 0x445010 in CloneImageOptions MagickCore/option.c:2131
    #6 0x41abd4 in CloneImageInfo MagickCore/image.c:1012
    #7 0x6891f6 in ReadPWPImage coders/pwp.c:177
    #8 0x824acb in ReadImage MagickCore/constitute.c:497
    #9 0x826c06 in ReadImages MagickCore/constitute.c:866
    #10 0xb3749a in ConvertImageCommand MagickWand/convert.c:641
    #11 0xcb7219 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40fdfc in MagickMain utilities/magick.c:149
    #13 0x40ffdd in main utilities/magick.c:180
    #14 0x7f867768b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f867be94076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x49257e in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x49263a in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x49a458 in NewSplayTree MagickCore/splay-tree.c:1159
    #4 0x4974a9 in CloneSplayTree MagickCore/splay-tree.c:360
    #5 0x445010 in CloneImageOptions MagickCore/option.c:2131
    #6 0x41abd4 in CloneImageInfo MagickCore/image.c:1012
    #7 0x6891f6 in ReadPWPImage coders/pwp.c:177
    #8 0x824acb in ReadImage MagickCore/constitute.c:497
    #9 0x826c06 in ReadImages MagickCore/constitute.c:866
    #10 0xb3749a in ConvertImageCommand MagickWand/convert.c:641
    #11 0xcb7219 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40fdfc in MagickMain utilities/magick.c:149
    #13 0x40ffdd in main utilities/magick.c:180
    #14 0x7f867768b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x7f867be93602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440319 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x496955 in AddValueToSplayTree MagickCore/splay-tree.c:189
    #3 0x497632 in CloneSplayTree MagickCore/splay-tree.c:372
    #4 0x445010 in CloneImageOptions MagickCore/option.c:2131
    #5 0x41abd4 in CloneImageInfo MagickCore/image.c:1012
    #6 0x6891f6 in ReadPWPImage coders/pwp.c:177
    #7 0x824acb in ReadImage MagickCore/constitute.c:497
    #8 0x826c06 in ReadImages MagickCore/constitute.c:866
    #9 0xb3749a in ConvertImageCommand MagickWand/convert.c:641
    #10 0xcb7219 in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x40fdfc in MagickMain utilities/magick.c:149
    #12 0x40ffdd in main utilities/magick.c:180
    #13 0x7f867768b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 31 byte(s) in 1 object(s) allocated from:
    #0 0x7f867be93602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440319 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x44036d in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x4b2caa in ConstantString MagickCore/string.c:700
    #4 0x4975c6 in CloneSplayTree MagickCore/splay-tree.c:373
    #5 0x445010 in CloneImageOptions MagickCore/option.c:2131
    #6 0x41abd4 in CloneImageInfo MagickCore/image.c:1012
    #7 0x6891f6 in ReadPWPImage coders/pwp.c:177
    #8 0x824acb in ReadImage MagickCore/constitute.c:497
    #9 0x826c06 in ReadImages MagickCore/constitute.c:866
    #10 0xb3749a in ConvertImageCommand MagickWand/convert.c:641
    #11 0xcb7219 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40fdfc in MagickMain utilities/magick.c:149
    #13 0x40ffdd in main utilities/magick.c:180
    #14 0x7f867768b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x7f867be93602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440319 in AcquireMagickMemory MagickCore/memory.c:464
    #2 0x44036d in AcquireQuantumMemory MagickCore/memory.c:537
    #3 0x4b2caa in ConstantString MagickCore/string.c:700
    #4 0x49761d in CloneSplayTree MagickCore/splay-tree.c:372
    #5 0x445010 in CloneImageOptions MagickCore/option.c:2131
    #6 0x41abd4 in CloneImageInfo MagickCore/image.c:1012
    #7 0x6891f6 in ReadPWPImage coders/pwp.c:177
    #8 0x824acb in ReadImage MagickCore/constitute.c:497
    #9 0x826c06 in ReadImages MagickCore/constitute.c:866
    #10 0xb3749a in ConvertImageCommand MagickWand/convert.c:641
    #11 0xcb7219 in MagickCommandGenesis MagickWand/mogrify.c:183
    #12 0x40fdfc in MagickMain utilities/magick.c:149
    #13 0x40ffdd in main utilities/magick.c:180
    #14 0x7f867768b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 13248 byte(s) leaked in 6 allocation(s).

test case: https://github.com/just0day/poc/blob/master/Memory-Leak-ReadPWPImage

by future-sec

urban-warrior pushed a commit that referenced this issue Dec 27, 2017

@urban-warrior

This comment has been minimized.

Show comment
Hide comment
@urban-warrior

urban-warrior Dec 27, 2017

Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

Contributor

urban-warrior commented Dec 27, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Dec 27, 2017

@abergmann

This comment has been minimized.

Show comment
Hide comment
@abergmann

abergmann Jan 2, 2018

CVE-2017-18008 was assigned to this issue.

https://nvd.nist.gov/vuln/detail/CVE-2017-18008

abergmann commented Jan 2, 2018

CVE-2017-18008 was assigned to this issue.

https://nvd.nist.gov/vuln/detail/CVE-2017-18008

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment