Menu

#430 memory leak in CloneImage

v1.0_(example)
closed-fixed
None
5
2017-08-22
2017-08-11
bestshow
No

On GraphicsMagick 1.3.26 2017-07-04 Q8

A memory leak vulnerability was found in function CloneImage in magick/image.c,which allow attackers to cause a denial of service via a crafted file.

#./gm identify $FILE
=================================================================
==39635==ERROR: detected memory leaks

Indirect leak of 6856 byte(s) in 1 object(s) allocated from:
    #0 0x4e96f6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x6e22e1 in CloneImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/image.c:941:15
    #2 0x63f90d in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #3 0x63ed64 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #4 0x5b0232 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #5 0x5f621e in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #6 0x5f4aab in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #7 0x7fed6998cb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 4224 byte(s) in 1 object(s) allocated from:
    #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142
    #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7
    #2 0x769a32 in GetCacheInfo /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:1986:14

Indirect leak of 128 byte(s) in 1 object(s) allocated from:
    #0 0x4e96f6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0xef94c0 in CloneBlobInfo /home/test/Downloads/GraphicsMagick-1.3.26/magick/blob.c:808:14
    #2 0x63f90d in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #3 0x63ed64 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #4 0x5b0232 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #5 0x5f621e in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #6 0x5f4aab in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #7 0x7fed6998cb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 128 byte(s) in 1 object(s) allocated from:
    #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142
    #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7
    #2 0x7637f7 in AllocateCacheNexus /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:2507:14
    #3 0x7637f7 in OpenCacheView /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:3332

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142
    #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7
    #2 0x7637cd in OpenCacheView /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:3326:8

......
11784 byte(s) leaked in 11 allocation(s).

The poc file is in the attachment.

Credit ADLab of Venustech

1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-12
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-12

    This issue was already fixed in GraphicsMagick Mercurial on August 11th.

     
  • Henri Salo

    Henri Salo - 2017-08-22

    Please use CVE-2017-13066 for this issue.

     

Log in to post a comment.