Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory leaks in WriteCALSImage #930

Closed
henices opened this issue Jan 4, 2018 · 2 comments
Closed

memory leaks in WriteCALSImage #930

henices opened this issue Jan 4, 2018 · 2 comments
Labels

Comments

@henices
Copy link
Contributor

henices commented Jan 4, 2018

INFO

Version: ImageMagick 7.0.7-20 Q16 x86_64 2018-01-04 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png tiff webp wmf x xml zlib

Trigger Command: /usr/local/bin/magick WriteGROUP4Image-memory-leaks /dev/null

ASAN OUTPUT


=================================================================
==427==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 9096 byte(s) in 1 object(s) allocated from:
    #0 0x4cf7f0 in __interceptor_malloc (/usr/local/bin/magick+0x4cf7f0)
    #1 0x7f724fe6c846 in AcquireMagickMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:464:10
    #2 0x7f724f8328e4 in AcquireCriticalMemory /home/henices/tests/ImageMagick/./MagickCore/memory-private.h:57:10
    #3 0x7f724f830fcd in AcquirePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:192:28
    #4 0x7f724f834124 in ClonePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:412:28
    #5 0x7f724f87644d in GetImagePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:1633:29
    #6 0x7f724f83a3d7 in QueueAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:3948:28
    #7 0x7f724f839b60 in GetAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:1237:10
    #8 0x7f724f88d764 in GetCacheViewAuthenticPixels /home/henices/tests/ImageMagick/MagickCore/cache-view.c:312:10
    #9 0x7f724f7e3c9a in SetImageDepth /home/henices/tests/ImageMagick/MagickCore/attribute.c:1152:7
    #10 0x7f7250d2c286 in WriteGROUP4Image /home/henices/tests/ImageMagick/coders/tiff.c:2641:10
    #11 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #12 0x7f724f7ffb38 in ImageToBlob /home/henices/tests/ImageMagick/MagickCore/blob.c:1908:18
    #13 0x7f72505803b2 in WriteCALSImage /home/henices/tests/ImageMagick/coders/cals.c:564:28
    #14 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #15 0x7f724f963381 in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1333:13
    #16 0x7f724e570e7e in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #17 0x7f724e579f60 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #18 0x7f724e0c87d5 in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #19 0x7f724e0ca79d in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #20 0x7f724e17c9a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #21 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #22 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #23 0x7f7247512009 in __libc_start_main (/lib64/libc.so.6+0x21009)

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4cf7f0 in __interceptor_malloc (/usr/local/bin/magick+0x4cf7f0)
    #1 0x7f724fe6c846 in AcquireMagickMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:464:10
    #2 0x7f724fe6c8a8 in AcquireQuantumMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:537:10
    #3 0x7f724f832c78 in AcquirePixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:264:31
    #4 0x7f724f831da5 in AcquirePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:207:26
    #5 0x7f724f834124 in ClonePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:412:28
    #6 0x7f724f87644d in GetImagePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:1633:29
    #7 0x7f724f83a3d7 in QueueAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:3948:28
    #8 0x7f724f839b60 in GetAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:1237:10
    #9 0x7f724f88d764 in GetCacheViewAuthenticPixels /home/henices/tests/ImageMagick/MagickCore/cache-view.c:312:10
    #10 0x7f724f7e3c9a in SetImageDepth /home/henices/tests/ImageMagick/MagickCore/attribute.c:1152:7
    #11 0x7f7250d2c286 in WriteGROUP4Image /home/henices/tests/ImageMagick/coders/tiff.c:2641:10
    #12 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #13 0x7f724f7ffb38 in ImageToBlob /home/henices/tests/ImageMagick/MagickCore/blob.c:1908:18
    #14 0x7f72505803b2 in WriteCALSImage /home/henices/tests/ImageMagick/coders/cals.c:564:28
    #15 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #16 0x7f724f963381 in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1333:13
    #17 0x7f724e570e7e in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #18 0x7f724e579f60 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #19 0x7f724e0c87d5 in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #20 0x7f724e0ca79d in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #21 0x7f724e17c9a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #22 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #23 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #24 0x7f7247512009 in __libc_start_main (/lib64/libc.so.6+0x21009)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4d0258 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4d0258)
    #1 0x7f7250149af6 in AcquireSemaphoreMemory /home/henices/tests/ImageMagick/MagickCore/semaphore.c:154:7
    #2 0x7f7250148cec in AcquireSemaphoreInfo /home/henices/tests/ImageMagick/MagickCore/semaphore.c:200:36
    #3 0x7f724f8323d2 in AcquirePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:222:25
    #4 0x7f724f834124 in ClonePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:412:28
    #5 0x7f724f87644d in GetImagePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:1633:29
    #6 0x7f724f83a3d7 in QueueAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:3948:28
    #7 0x7f724f839b60 in GetAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:1237:10
    #8 0x7f724f88d764 in GetCacheViewAuthenticPixels /home/henices/tests/ImageMagick/MagickCore/cache-view.c:312:10
    #9 0x7f724f7e3c9a in SetImageDepth /home/henices/tests/ImageMagick/MagickCore/attribute.c:1152:7
    #10 0x7f7250d2c286 in WriteGROUP4Image /home/henices/tests/ImageMagick/coders/tiff.c:2641:10
    #11 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #12 0x7f724f7ffb38 in ImageToBlob /home/henices/tests/ImageMagick/MagickCore/blob.c:1908:18
    #13 0x7f72505803b2 in WriteCALSImage /home/henices/tests/ImageMagick/coders/cals.c:564:28
    #14 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #15 0x7f724f963381 in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1333:13
    #16 0x7f724e570e7e in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #17 0x7f724e579f60 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #18 0x7f724e0c87d5 in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #19 0x7f724e0ca79d in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #20 0x7f724e17c9a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #21 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #22 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #23 0x7f7247512009 in __libc_start_main (/lib64/libc.so.6+0x21009)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4d0258 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4d0258)
    #1 0x7f7250149af6 in AcquireSemaphoreMemory /home/henices/tests/ImageMagick/MagickCore/semaphore.c:154:7
    #2 0x7f7250148cec in AcquireSemaphoreInfo /home/henices/tests/ImageMagick/MagickCore/semaphore.c:200:36
    #3 0x7f724f8325b6 in AcquirePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:224:30
    #4 0x7f724f834124 in ClonePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:412:28
    #5 0x7f724f87644d in GetImagePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:1633:29
    #6 0x7f724f83a3d7 in QueueAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:3948:28
    #7 0x7f724f839b60 in GetAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:1237:10
    #8 0x7f724f88d764 in GetCacheViewAuthenticPixels /home/henices/tests/ImageMagick/MagickCore/cache-view.c:312:10
    #9 0x7f724f7e3c9a in SetImageDepth /home/henices/tests/ImageMagick/MagickCore/attribute.c:1152:7
    #10 0x7f7250d2c286 in WriteGROUP4Image /home/henices/tests/ImageMagick/coders/tiff.c:2641:10
    #11 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #12 0x7f724f7ffb38 in ImageToBlob /home/henices/tests/ImageMagick/MagickCore/blob.c:1908:18
    #13 0x7f72505803b2 in WriteCALSImage /home/henices/tests/ImageMagick/coders/cals.c:564:28
    #14 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #15 0x7f724f963381 in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1333:13
    #16 0x7f724e570e7e in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #17 0x7f724e579f60 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #18 0x7f724e0c87d5 in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #19 0x7f724e0ca79d in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #20 0x7f724e17c9a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #21 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #22 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #23 0x7f7247512009 in __libc_start_main (/lib64/libc.so.6+0x21009)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4d0258 in __interceptor_posix_memalign (/usr/local/bin/magick+0x4d0258)
    #1 0x7f724fe6c5d7 in AcquireAlignedMemory /home/henices/tests/ImageMagick/MagickCore/memory.c:262:7
    #2 0x7f724f832ace in AcquirePixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:260:29
    #3 0x7f724f831da5 in AcquirePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:207:26
    #4 0x7f724f834124 in ClonePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:412:28
    #5 0x7f724f87644d in GetImagePixelCache /home/henices/tests/ImageMagick/MagickCore/cache.c:1633:29
    #6 0x7f724f83a3d7 in QueueAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:3948:28
    #7 0x7f724f839b60 in GetAuthenticPixelCacheNexus /home/henices/tests/ImageMagick/MagickCore/cache.c:1237:10
    #8 0x7f724f88d764 in GetCacheViewAuthenticPixels /home/henices/tests/ImageMagick/MagickCore/cache-view.c:312:10
    #9 0x7f724f7e3c9a in SetImageDepth /home/henices/tests/ImageMagick/MagickCore/attribute.c:1152:7
    #10 0x7f7250d2c286 in WriteGROUP4Image /home/henices/tests/ImageMagick/coders/tiff.c:2641:10
    #11 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #12 0x7f724f7ffb38 in ImageToBlob /home/henices/tests/ImageMagick/MagickCore/blob.c:1908:18
    #13 0x7f72505803b2 in WriteCALSImage /home/henices/tests/ImageMagick/coders/cals.c:564:28
    #14 0x7f724f960d3b in WriteImage /home/henices/tests/ImageMagick/MagickCore/constitute.c:1114:14
    #15 0x7f724f963381 in WriteImages /home/henices/tests/ImageMagick/MagickCore/constitute.c:1333:13
    #16 0x7f724e570e7e in CLINoImageOperator /home/henices/tests/ImageMagick/MagickWand/operation.c:4798:14
    #17 0x7f724e579f60 in CLIOption /home/henices/tests/ImageMagick/MagickWand/operation.c:5258:7
    #18 0x7f724e0c87d5 in ProcessCommandOptions /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:529:3
    #19 0x7f724e0ca79d in MagickImageCommand /home/henices/tests/ImageMagick/MagickWand/magick-cli.c:796:5
    #20 0x7f724e17c9a5 in MagickCommandGenesis /home/henices/tests/ImageMagick/MagickWand/mogrify.c:183:14
    #21 0x50a313 in MagickMain /home/henices/tests/ImageMagick/utilities/magick.c:149:10
    #22 0x5096b1 in main /home/henices/tests/ImageMagick/utilities/magick.c:180:10
    #23 0x7f7247512009 in __libc_start_main (/lib64/libc.so.6+0x21009)

SUMMARY: AddressSanitizer: 9376 byte(s) leaked in 5 allocation(s).

testcase: https://github.com/henices/pocs/raw/master/WriteGROUP4Image-memory-leaks

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

@henices henices changed the title memory leaks in WriteGROUP4Image memory leaks in WriteCALSImage Jan 4, 2018
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Jan 4, 2018
@dlemstra dlemstra closed this as completed Jan 4, 2018
@nohmask
Copy link

nohmask commented Jun 4, 2018

This was assigned CVE-2018-11655.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants