'[oss-security] ImageMagick Magick_png_malloc() / GraphicsMagick png_IM_malloc() size issue'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] ImageMagick Magick_png_malloc() / GraphicsMagick png_IM_malloc() size issue
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-07-30 5:56:03
Message-ID: 501621F3.5090402 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was going to request an embargo date for this issue once I had
spoken with ImageMagick however they felt an embargo was not needed
and publicly committed a source code fix for the issue, so this issue
is no longer private.

===========================

Tom Lane (tgl@redhat.com) found an issue in ImageMagick. Basically
CVE-2011-3026 deals with libpng memory allocation, limitations have been
added so that a bad PNG can't cause the system to allocate a lot of
memory causing a denial of service. However on further investigation of
ImageMagick Tom Lane found that PNG malloc function (Magick_png_malloc)
in turn calls AcquireMagickMemory with an improper size argument:

#ifdef PNG_USER_MEM_SUPPORTED
static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size)
{
  (void) png_ptr;
  return((png_voidp) AcquireMagickMemory((size_t) size));
}

This is incorrect, the size argument should be declared
png_alloc_size_t according to 1.5, or png_size_t according to 1.2.

"As this function stands, it invisibly does the wrong thing for any
request over 4GB.  On big-endian architectures it very possibly will
do the wrong thing even for requests less than that. So the reason why
the hard-wired 4GB limit prevents a core dump is that it masks the ABI
mismatch here."

So basically we have memory allocations problems that can probably
lead to a denial of service.

===========================

For more information please see:

https://bugzilla.redhat.com/show_bug.cgi?id=844101
https://bugzilla.redhat.com/show_bug.cgi?id=844105



- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993
A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQFiHzAAoJEBYNRVNeJnmTsM0QAL7mEDEB92oY3kf99f/DLidS
O7DAqCVKqbqGh81kkxvg3YTzMKubtsI15W+doY2UwNkDEWeuKGKoBLsYzpLK+/zt
gTGlJTC5sC69NYB/LSbBoUW8vm9dAEbIlVzdM9BuftvtXx3Ytsu3ss7u7tZ1IaE4
aLMe1ttj+jpzEAlSGCZCCU8GduPiwHubBAJuTomQ9mAoXfwoxEKiv/T4DiQoE9Gf
eZv5MlhUpiMleLvItcPLs91d1B7fnAKmPtv+6RvZpFWgFMnAUNaTThYPraylBMXc
dpyL7xj2eGa3+3SONJ+ydqEpBfP5Fck9HV09mXyg/EOzg5XlgFtwID3Nez3208yS
/HpdW8p5DQvvXnCklDQc2DwFii3qk4Z13J6MucFjnTwX/2YSkqOWTzcNRSGOEBQh
zxL2oXlyT7fQFAi2l37DlE6+y+egta6QWmpxU6v0dzvdliDN9TkXWsjSVKZ8iOiC
8g2uvuL+AdUFRMB7PN/SxUZElDmM/iKtx8sii0iWxmClrSIO53aDO9Hoo5LEva/R
MGY+ZOHfulbVy1TyRN4+zAZ++0j+EpDWaiMhhQmmCwX2pUShtl4fZ0gGNbni1I+m
StUXWjkKSHjVEcZ8wtLg6CvmpeKNJw1n438ml5ZZVpFx9WB6rxOZixgEX0WtfEI3
KON6EIqz9kD+KeFBh9+N
=QjKj
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic