Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

coders/dcm.c Memory Leak #964

Closed
ksyang opened this issue Jan 30, 2018 · 2 comments
Closed

coders/dcm.c Memory Leak #964

ksyang opened this issue Jan 30, 2018 · 2 comments
Labels

Comments

@ksyang
Copy link

ksyang commented Jan 30, 2018

System Configuration

  • ImageMagick version: ImageMagick 7.0.7-23
  • Environment (Operating system, version and so on): Ubuntu 14.04 64bit
  • Additional information: compilation with asan

Description

redmap=(int *) AcquireQuantumMemory((size_t) colors,

greenmap=(int *) AcquireQuantumMemory((size_t) colors,

bluemap=(int *) AcquireQuantumMemory((size_t) colors,

Each redmap, greenmap, and bluemap can be overwritten by a new pointer, so it loses previous pointer, which leads to memory leak. I guess we should check if the each XXXmap variable is already allocated or not.

$ ./magick convert ~/leak1.dcm ./out.png
convert: UnableToOpenConfigureFile `magic.xml' @ warning/configure.c/GetConfigureOptions/714.
convert: InsufficientImageDataInFile `/home/skid/leak1.dcm' @ error/dcm.c/ReadDCMImage/3280.
convert: NoImagesDefined `./out.png' @ error/convert.c/ConvertImageCommand/3275.

=================================================================
==62826==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 20 byte(s) in 1 object(s) allocated from:
    #0 0x4bd753 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
    #1 0x537d1d in AcquireMagickMemory (/imagemagick.latest/utilities/magick+0x537d1d)
    #2 0x537dcd in AcquireQuantumMemory (/imagemagick.latest/utilities/magick+0x537dcd)
    #3 0x6c91c2 in ReadDCMImage (/imagemagick.latest/utilities/magick+0x6c91c2)
    #4 0xaf0948 in ReadImage (/imagemagick.latest/utilities/magick+0xaf0948)
    #5 0xaf4ff4 in ReadImages (/imagemagick.latest/utilities/magick+0xaf4ff4)
    #6 0xe61486 in ConvertImageCommand (/imagemagick.latest/utilities/magick+0xe61486)
    #7 0xf41f40 in MagickCommandGenesis (/imagemagick.latest/utilities/magick+0xf41f40)
    #8 0x4e8af9 in MagickMain (/imagemagick.latest/utilities/magick+0x4e8af9)
    #9 0x4e8401 in main (/imagemagick.latest/utilities/magick+0x4e8401)
    #10 0x7f09662ab82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
$ ./magick convert ~/leak2.dcm ./a.png
convert: UnableToOpenConfigureFile `magic.xml' @ warning/configure.c/GetConfigureOptions/714.
convert: ImproperImageHeader `/home/skid/leak2.dcm' @ error/dcm.c/ReadDCMImage/3151.
convert: NoImagesDefined `./a.png' @ error/convert.c/ConvertImageCommand/3275.

=================================================================
==63144==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 52 byte(s) in 1 object(s) allocated from:
    #0 0x4bd753 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
    #1 0x537d1d in AcquireMagickMemory (/imagemagick.latest/utilities/magick+0x537d1d)
    #2 0x537dcd in AcquireQuantumMemory (/imagemagick.latest/utilities/magick+0x537dcd)
    #3 0x6c8a80 in ReadDCMImage (/imagemagick.latest/utilities/magick+0x6c8a80)
    #4 0xaf0948 in ReadImage (/imagemagick.latest/utilities/magick+0xaf0948)
    #5 0xaf4ff4 in ReadImages (/imagemagick.latest/utilities/magick+0xaf4ff4)
    #6 0xe61486 in ConvertImageCommand /imagemagick.latest/utilities/magick+0xe61486)
    #7 0xf41f40 in MagickCommandGenesis (/imagemagick.latest/utilities/magick+0xf41f40)
    #8 0x4e8af9 in MagickMain (/imagemagick.latest/utilities/magick+0x4e8af9)
    #9 0x4e8401 in main (/imagemagick.latest/utilities/magick+0x4e8401)
    #10 0x7f8ea250982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: 52 byte(s) leaked in 1 allocation(s).
$ ./magick convert ~/leak3.dcm ./a.png
convert: UnableToOpenConfigureFile `magic.xml' @ warning/configure.c/GetConfigureOptions/714.
convert: InsufficientImageDataInFile `/home/skid/leak3.dcm' @ error/dcm.c/ReadDCMImage/3280.
convert: NoImagesDefined `./a.png' @ error/convert.c/ConvertImageCommand/3275.

=================================================================
==63151==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 196 byte(s) in 1 object(s) allocated from:
    #0 0x4bd753 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
    #1 0x537d1d in AcquireMagickMemory (/imagemagick.latest/utilities/magick+0x537d1d)
    #2 0x537dcd in AcquireQuantumMemory (/imagemagick.latest/utilities/magick+0x537dcd)
    #3 0x6c9904 in ReadDCMImage (/imagemagick.latest/utilities/magick+0x6c9904)
    #4 0xaf0948 in ReadImage (/imagemagick.latest/utilities/magick+0xaf0948)
    #5 0xaf4ff4 in ReadImages (/imagemagick.latest/utilities/magick+0xaf4ff4)
    #6 0xe61486 in ConvertImageCommand (/imagemagick.latest/utilities/magick+0xe61486)
    #7 0xf41f40 in MagickCommandGenesis (/imagemagick.latest/utilities/magick+0xf41f40)
    #8 0x4e8af9 in MagickMain (/imagemagick.latest/utilities/magick+0x4e8af9)
    #9 0x4e8401 in main (/imagemagick.latest/utilities/magick+0x4e8401)
    #10 0x7fb320bdc82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: 196 byte(s) leaked in 1 allocation(s).

Crash File : crashes.zip

Credit : Kyeongseok Yang & Choongwoo Han, Naver Security Team

dlemstra added a commit that referenced this issue Jan 30, 2018
dlemstra added a commit that referenced this issue Jan 30, 2018
@dlemstra dlemstra added the bug label Jan 30, 2018
@dlemstra
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Feb 1, 2018

This was assigned CVE-2018-6405.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants