oss-sec mailing list archives
ImageMagick Magick_png_malloc() / GraphicsMagick png_IM_malloc() size issue
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 29 Jul 2012 23:56:03 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was going to request an embargo date for this issue once I had spoken with ImageMagick however they felt an embargo was not needed and publicly committed a source code fix for the issue, so this issue is no longer private. =========================== Tom Lane (tgl () redhat com) found an issue in ImageMagick. Basically CVE-2011-3026 deals with libpng memory allocation, limitations have been added so that a bad PNG can't cause the system to allocate a lot of memory causing a denial of service. However on further investigation of ImageMagick Tom Lane found that PNG malloc function (Magick_png_malloc) in turn calls AcquireMagickMemory with an improper size argument: #ifdef PNG_USER_MEM_SUPPORTED static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size) { (void) png_ptr; return((png_voidp) AcquireMagickMemory((size_t) size)); } This is incorrect, the size argument should be declared png_alloc_size_t according to 1.5, or png_size_t according to 1.2. "As this function stands, it invisibly does the wrong thing for any request over 4GB. On big-endian architectures it very possibly will do the wrong thing even for requests less than that. So the reason why the hard-wired 4GB limit prevents a core dump is that it masks the ABI mismatch here." So basically we have memory allocations problems that can probably lead to a denial of service. =========================== For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=844101 https://bugzilla.redhat.com/show_bug.cgi?id=844105 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQFiHzAAoJEBYNRVNeJnmTsM0QAL7mEDEB92oY3kf99f/DLidS O7DAqCVKqbqGh81kkxvg3YTzMKubtsI15W+doY2UwNkDEWeuKGKoBLsYzpLK+/zt gTGlJTC5sC69NYB/LSbBoUW8vm9dAEbIlVzdM9BuftvtXx3Ytsu3ss7u7tZ1IaE4 aLMe1ttj+jpzEAlSGCZCCU8GduPiwHubBAJuTomQ9mAoXfwoxEKiv/T4DiQoE9Gf eZv5MlhUpiMleLvItcPLs91d1B7fnAKmPtv+6RvZpFWgFMnAUNaTThYPraylBMXc dpyL7xj2eGa3+3SONJ+ydqEpBfP5Fck9HV09mXyg/EOzg5XlgFtwID3Nez3208yS /HpdW8p5DQvvXnCklDQc2DwFii3qk4Z13J6MucFjnTwX/2YSkqOWTzcNRSGOEBQh zxL2oXlyT7fQFAi2l37DlE6+y+egta6QWmpxU6v0dzvdliDN9TkXWsjSVKZ8iOiC 8g2uvuL+AdUFRMB7PN/SxUZElDmM/iKtx8sii0iWxmClrSIO53aDO9Hoo5LEva/R MGY+ZOHfulbVy1TyRN4+zAZ++0j+EpDWaiMhhQmmCwX2pUShtl4fZ0gGNbni1I+m StUXWjkKSHjVEcZ8wtLg6CvmpeKNJw1n438ml5ZZVpFx9WB6rxOZixgEX0WtfEI3 KON6EIqz9kD+KeFBh9+N =QjKj -----END PGP SIGNATURE-----
Current thread:
- ImageMagick Magick_png_malloc() / GraphicsMagick png_IM_malloc() size issue Kurt Seifried (Jul 29)