Menu

#433 memory leak in ReadMATImage

v1.0_(example)
closed-fixed
None
5
2017-08-20
2017-08-11
bestshow
No

On GraphicsMagick 1.3.26 2017-07-04 Q8

A memory leak vulnerability was found in function ReadMATImage in coders/mat.c,which allow attackers to cause a denial of service via a crafted file.

#./gm identify $FILE
=================================================================
==50436==ERROR: detected memory leaks

Indirect leak of 6856 byte(s) in 1 object(s) allocated from:
    #0 0x4e96f6 in __interceptor_malloc /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x6dca7f in AllocateImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/image.c:336:18
    #2 0xbf76b0 in DecompressBlock /home/test/Downloads/GraphicsMagick-1.3.26/coders/mat.c:406:17
    #3 0xbf76b0 in ReadMATImage /home/test/Downloads/GraphicsMagick-1.3.26/coders/mat.c:835
    #4 0x63f90d in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #5 0x63ed64 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #6 0x5b0232 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #7 0x5f621e in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #8 0x5f4aab in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #9 0x7ff3c0a2fb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

Indirect leak of 4224 byte(s) in 1 object(s) allocated from:
    #0 0x4ea255 in posix_memalign /home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:142
    #1 0x71147b in MagickMallocAligned /home/test/Downloads/GraphicsMagick-1.3.26/magick/memory.c:217:7
    #2 0x769a32 in GetCacheInfo /home/test/Downloads/GraphicsMagick-1.3.26/magick/pixel_cache.c:1986:14
    #3 0xbf76b0 in DecompressBlock /home/test/Downloads/GraphicsMagick-1.3.26/coders/mat.c:406:17
    #4 0xbf76b0 in ReadMATImage /home/test/Downloads/GraphicsMagick-1.3.26/coders/mat.c:835
    #5 0x63f90d in ReadImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #6 0x63ed64 in PingImage /home/test/Downloads/GraphicsMagick-1.3.26/magick/constitute.c:1370:9
    #7 0x5b0232 in MagickCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #8 0x5f621e in GMCommandSingle /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #9 0x5f4aab in GMCommand /home/test/Downloads/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #10 0x7ff3c0a2fb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274

......

11784 byte(s) leaked in 11 allocation(s).

The poc file is in the attachment.

Credit: ADLab of Venustech

1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-16
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-20
    • assigned_to: Bob Friesenhahn --> Jaroslav Fojtik
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-20
    • status: open --> closed-fixed
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-08-20

    Problem is fixed by the combination of changesets 15122:b6c54b2d5991, 15123:f87246749079, 15125:91b707030bda, 15127:3e3ef99689df, and 15128:3dd7bf268680. Thank you for reporting the problem and providing a test case.

     

Log in to post a comment.