{"id":638,"date":"2016-10-17T17:01:30","date_gmt":"2016-10-17T15:01:30","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=638"},"modified":"2016-10-20T09:19:00","modified_gmt":"2016-10-20T07:19:00","slug":"imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/17\/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c\/","title":{"rendered":"imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)"},"content":{"rendered":"

Description<\/strong>:
\nimagemagick<\/a> is a software suite to create, edit, compose, or convert bitmap images.<\/p>\n

A fuzzing with the upstream security policy<\/a> enabled revealed a memory allocation failure.<\/p>\n

The complete ASan output:<\/p>\n

# identify $FILE\r\n==14275==ERROR: AddressSanitizer failed to allocate 0x99ad49000 (41252327424) bytes of LargeMmapAllocator (error code: 12)\r\n==14275==Process memory map follows:\r\n        0x000000400000-0x000000520000   \/usr\/bin\/magick\r\n        0x000000720000-0x000000721000   \/usr\/bin\/magick\r\n        0x000000721000-0x000000724000   \/usr\/bin\/magick\r\n        0x000000724000-0x000001397000\r\n        0x00007fff7000-0x00008fff7000\r\n        0x00008fff7000-0x02008fff7000\r\n        0x02008fff7000-0x10007fff8000\r\n        0x600000000000-0x602000000000\r\n        0x602000000000-0x602000010000\r\n        0x602000010000-0x603000000000\r\n        0x603000000000-0x603000010000\r\n        0x603000010000-0x604000000000\r\n        0x604000000000-0x604000010000\r\n        0x604000010000-0x606000000000\r\n        0x606000000000-0x606000010000\r\n        0x606000010000-0x607000000000\r\n        0x607000000000-0x607000010000\r\n        0x607000010000-0x608000000000\r\n        0x608000000000-0x608000010000\r\n        0x608000010000-0x60a000000000\r\n        0x60a000000000-0x60a000020000\r\n        0x60a000020000-0x60b000000000\r\n        0x60b000000000-0x60b000010000\r\n        0x60b000010000-0x60c000000000\r\n        0x60c000000000-0x60c000010000\r\n        0x60c000010000-0x60e000000000\r\n        0x60e000000000-0x60e000010000\r\n        0x60e000010000-0x60f000000000\r\n        0x60f000000000-0x60f000010000\r\n        0x60f000010000-0x610000000000\r\n        0x610000000000-0x610000010000\r\n        0x610000010000-0x611000000000\r\n        0x611000000000-0x611000010000\r\n        0x611000010000-0x612000000000\r\n        0x612000000000-0x612000010000\r\n        0x612000010000-0x614000000000\r\n        0x614000000000-0x614000020000\r\n        0x614000020000-0x615000000000\r\n        0x615000000000-0x615000020000\r\n        0x615000020000-0x616000000000\r\n        0x616000000000-0x616000020000\r\n        0x616000020000-0x618000000000\r\n        0x618000000000-0x618000020000\r\n        0x618000020000-0x619000000000\r\n        0x619000000000-0x619000020000\r\n        0x619000020000-0x61a000000000\r\n        0x61a000000000-0x61a000020000\r\n        0x61a000020000-0x61b000000000\r\n        0x61b000000000-0x61b000020000\r\n        0x61b000020000-0x61d000000000\r\n        0x61d000000000-0x61d000020000\r\n        0x61d000020000-0x621000000000\r\n        0x621000000000-0x621000020000\r\n        0x621000020000-0x622000000000\r\n        0x622000000000-0x622000020000\r\n        0x622000020000-0x623000000000\r\n        0x623000000000-0x623000020000\r\n        0x623000020000-0x624000000000\r\n        0x624000000000-0x624000020000\r\n        0x624000020000-0x625000000000\r\n        0x625000000000-0x625000020000\r\n        0x625000020000-0x627000000000\r\n        0x627000000000-0x627000030000\r\n        0x627000030000-0x629000000000\r\n        0x629000000000-0x629000010000\r\n        0x629000010000-0x640000000000\r\n        0x640000000000-0x640000003000\r\n        0x7fe564f76000-0x7fe564f8d000   \/usr\/lib64\/ImageMagick-7.0.3\/modules-Q64HDRI\/coders\/pcx.so\r\n        0x7fe564f8d000-0x7fe56518c000   \/usr\/lib64\/ImageMagick-7.0.3\/modules-Q64HDRI\/coders\/pcx.so\r\n        0x7fe56518c000-0x7fe56518d000   \/usr\/lib64\/ImageMagick-7.0.3\/modules-Q64HDRI\/coders\/pcx.so\r\n        0x7fe56518d000-0x7fe56518e000   \/usr\/lib64\/ImageMagick-7.0.3\/modules-Q64HDRI\/coders\/pcx.so\r\n        0x7fe56518e000-0x7fe56b800000   \/usr\/lib64\/locale\/locale-archive\r\n        0x7fe56b800000-0x7fe56b900000\r\n        0x7fe56ba00000-0x7fe56bb00000\r\n        0x7fe56bbe6000-0x7fe56df38000\r\n        0x7fe56df38000-0x7fe56df5f000   \/usr\/lib64\/libexpat.so.1.6.0\r\n        0x7fe56df5f000-0x7fe56e15e000   \/usr\/lib64\/libexpat.so.1.6.0\r\n        0x7fe56e15e000-0x7fe56e161000   \/usr\/lib64\/libexpat.so.1.6.0\r\n        0x7fe56e161000-0x7fe56e162000   \/usr\/lib64\/libexpat.so.1.6.0\r\n        0x7fe56e162000-0x7fe56e297000   \/usr\/lib64\/libglib-2.0.so.0.4600.2\r\n        0x7fe56e297000-0x7fe56e497000   \/usr\/lib64\/libglib-2.0.so.0.4600.2\r\n        0x7fe56e497000-0x7fe56e498000   \/usr\/lib64\/libglib-2.0.so.0.4600.2\r\n        0x7fe56e498000-0x7fe56e499000   \/usr\/lib64\/libglib-2.0.so.0.4600.2\r\n        0x7fe56e499000-0x7fe56e49a000\r\n        0x7fe56e49a000-0x7fe56e4a3000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7fe56e4a3000-0x7fe56e6a2000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7fe56e6a2000-0x7fe56e6a3000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7fe56e6a3000-0x7fe56e6a4000   \/usr\/lib64\/libltdl.so.7.3.1\r\n        0x7fe56e6a4000-0x7fe56e6b9000   \/lib64\/libz.so.1.2.8\r\n        0x7fe56e6b9000-0x7fe56e8b8000   \/lib64\/libz.so.1.2.8\r\n        0x7fe56e8b8000-0x7fe56e8b9000   \/lib64\/libz.so.1.2.8\r\n        0x7fe56e8b9000-0x7fe56e8ba000   \/lib64\/libz.so.1.2.8\r\n        0x7fe56e8ba000-0x7fe56e8c9000   \/lib64\/libbz2.so.1.0.6\r\n        0x7fe56e8c9000-0x7fe56eac8000   \/lib64\/libbz2.so.1.0.6\r\n        0x7fe56eac8000-0x7fe56eac9000   \/lib64\/libbz2.so.1.0.6\r\n        0x7fe56eac9000-0x7fe56eaca000   \/lib64\/libbz2.so.1.0.6\r\n        0x7fe56eaca000-0x7fe56eb71000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7fe56eb71000-0x7fe56ed71000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7fe56ed71000-0x7fe56ed77000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7fe56ed77000-0x7fe56ed78000   \/usr\/lib64\/libfreetype.so.6.12.3\r\n        0x7fe56ed78000-0x7fe56edb3000   \/usr\/lib64\/libfontconfig.so.1.8.0\r\n        0x7fe56edb3000-0x7fe56efb2000   \/usr\/lib64\/libfontconfig.so.1.8.0\r\n        0x7fe56efb2000-0x7fe56efb4000   \/usr\/lib64\/libfontconfig.so.1.8.0\r\n        0x7fe56efb4000-0x7fe56efb5000   \/usr\/lib64\/libfontconfig.so.1.8.0\r\n        0x7fe56efb5000-0x7fe56f1aa000   \/usr\/lib64\/libfftw3.so.3.4.4\r\n        0x7fe56f1aa000-0x7fe56f3a9000   \/usr\/lib64\/libfftw3.so.3.4.4\r\n        0x7fe56f3a9000-0x7fe56f3bd000   \/usr\/lib64\/libfftw3.so.3.4.4\r\n        0x7fe56f3bd000-0x7fe56f3be000   \/usr\/lib64\/libfftw3.so.3.4.4\r\n        0x7fe56f3be000-0x7fe56f3cc000   \/usr\/lib64\/liblqr-1.so.0.3.2\r\n        0x7fe56f3cc000-0x7fe56f5cb000   \/usr\/lib64\/liblqr-1.so.0.3.2\r\n        0x7fe56f5cb000-0x7fe56f5cc000   \/usr\/lib64\/liblqr-1.so.0.3.2\r\n        0x7fe56f5cc000-0x7fe56f5cd000   \/usr\/lib64\/liblqr-1.so.0.3.2\r\n        0x7fe56f5cd000-0x7fe56f620000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7fe56f620000-0x7fe56f820000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7fe56f820000-0x7fe56f821000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7fe56f821000-0x7fe56f826000   \/usr\/lib64\/liblcms2.so.2.0.6\r\n        0x7fe56f826000-0x7fe56f9b9000   \/lib64\/libc-2.22.so\r\n        0x7fe56f9b9000-0x7fe56fbb9000   \/lib64\/libc-2.22.so\r\n        0x7fe56fbb9000-0x7fe56fbbd000   \/lib64\/libc-2.22.so\r\n        0x7fe56fbbd000-0x7fe56fbbf000   \/lib64\/libc-2.22.so\r\n        0x7fe56fbbf000-0x7fe56fbc3000\r\n        0x7fe56fbc3000-0x7fe56fbd9000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7fe56fbd9000-0x7fe56fdd8000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7fe56fdd8000-0x7fe56fdd9000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7fe56fdd9000-0x7fe56fdda000   \/usr\/lib64\/gcc\/x86_64-pc-linux-gnu\/4.9.3\/libgcc_s.so.1\r\n        0x7fe56fdda000-0x7fe56fde0000   \/lib64\/librt-2.22.so\r\n        0x7fe56fde0000-0x7fe56ffe0000   \/lib64\/librt-2.22.so\r\n        0x7fe56ffe0000-0x7fe56ffe1000   \/lib64\/librt-2.22.so\r\n        0x7fe56ffe1000-0x7fe56ffe2000   \/lib64\/librt-2.22.so\r\n        0x7fe56ffe2000-0x7fe56fff9000   \/lib64\/libpthread-2.22.so\r\n        0x7fe56fff9000-0x7fe5701f8000   \/lib64\/libpthread-2.22.so\r\n        0x7fe5701f8000-0x7fe5701f9000   \/lib64\/libpthread-2.22.so\r\n        0x7fe5701f9000-0x7fe5701fa000   \/lib64\/libpthread-2.22.so\r\n        0x7fe5701fa000-0x7fe5701fe000\r\n        0x7fe5701fe000-0x7fe5702fb000   \/lib64\/libm-2.22.so\r\n        0x7fe5702fb000-0x7fe5704fa000   \/lib64\/libm-2.22.so\r\n        0x7fe5704fa000-0x7fe5704fb000   \/lib64\/libm-2.22.so\r\n        0x7fe5704fb000-0x7fe5704fc000   \/lib64\/libm-2.22.so\r\n        0x7fe5704fc000-0x7fe5704fe000   \/lib64\/libdl-2.22.so\r\n        0x7fe5704fe000-0x7fe5706fe000   \/lib64\/libdl-2.22.so\r\n        0x7fe5706fe000-0x7fe5706ff000   \/lib64\/libdl-2.22.so\r\n        0x7fe5706ff000-0x7fe570700000   \/lib64\/libdl-2.22.so\r\n        0x7fe570700000-0x7fe570bc6000   \/usr\/lib64\/libMagickWand-7.Q64HDRI.so.0.0.0\r\n        0x7fe570bc6000-0x7fe570dc5000   \/usr\/lib64\/libMagickWand-7.Q64HDRI.so.0.0.0\r\n        0x7fe570dc5000-0x7fe570dda000   \/usr\/lib64\/libMagickWand-7.Q64HDRI.so.0.0.0\r\n        0x7fe570dda000-0x7fe570e1c000   \/usr\/lib64\/libMagickWand-7.Q64HDRI.so.0.0.0\r\n        0x7fe570e1c000-0x7fe5719af000   \/usr\/lib64\/libMagickCore-7.Q64HDRI.so.0.0.0\r\n        0x7fe5719af000-0x7fe571bae000   \/usr\/lib64\/libMagickCore-7.Q64HDRI.so.0.0.0\r\n        0x7fe571bae000-0x7fe571be7000   \/usr\/lib64\/libMagickCore-7.Q64HDRI.so.0.0.0\r\n        0x7fe571be7000-0x7fe571c59000   \/usr\/lib64\/libMagickCore-7.Q64HDRI.so.0.0.0\r\n        0x7fe571c59000-0x7fe571c5c000\r\n        0x7fe571c5c000-0x7fe571c7e000   \/lib64\/ld-2.22.so\r\n        0x7fe571cf9000-0x7fe571da4000\r\n        0x7fe571da4000-0x7fe571dc7000   \/usr\/share\/locale\/it\/LC_MESSAGES\/libc.mo\r\n        0x7fe571dc7000-0x7fe571e70000\r\n        0x7fe571e70000-0x7fe571e7d000\r\n        0x7fe571e7d000-0x7fe571e7e000   \/lib64\/ld-2.22.so\r\n        0x7fe571e7e000-0x7fe571e7f000   \/lib64\/ld-2.22.so\r\n        0x7fe571e7f000-0x7fe571e80000\r\n        0x7ffddcca3000-0x7ffddccc4000   [stack]\r\n        0x7ffddcd4d000-0x7ffddcd4f000   [vvar]\r\n        0x7ffddcd4f000-0x7ffddcd51000   [vdso]\r\n        0xffffffffff600000-0xffffffffff601000   [vsyscall]\r\n==14275==End of process memory map.\r\n==14275==AddressSanitizer CHECK failed: \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183 \"((0 && \"unable to mmap\")) != (0)\" (0x0, 0x0)\r\n    #0 0x4c9f9d in AsanCheckFailed \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_rtl.cc:67\r\n    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:159\r\n    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_common.cc:183\r\n    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/sanitizer_common\/sanitizer_posix.cc:122\r\n    #4 0x42208f in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1033\r\n    #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_allocator.h:1302\r\n    #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:368\r\n    #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_allocator.cc:718\r\n    #8 0x4c0661 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:53\r\n    #9 0x7fe5713b3b3b in AcquireMagickMemory \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/memory.c:460:10\r\n    #10 0x7fe5713b3b3b in AcquireVirtualMemory \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/memory.c:642\r\n    #11 0x7fe564f7af95 in ReadPCXImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/coders\/pcx.c:400:16\r\n    #12 0x7fe571087b12 in ReadImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/constitute.c:496:13\r\n    #13 0x7fe57181f406 in ReadStream \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/stream.c:1012:9\r\n    #14 0x7fe5710865ca in PingImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/constitute.c:226:9\r\n    #15 0x7fe571086e25 in PingImages \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickCore\/constitute.c:326:10\r\n    #16 0x7fe57090c4c3 in IdentifyImageCommand \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickWand\/identify.c:319:18\r\n    #17 0x7fe5709a226a in MagickCommandGenesis \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/MagickWand\/mogrify.c:183:14\r\n    #18 0x4f1fb5 in MagickMain \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/utilities\/magick.c:145:10\r\n    #19 0x4f1fb5 in main \/tmp\/portage\/media-gfx\/imagemagick-7.0.3.0\/work\/ImageMagick-7.0.3-0\/utilities\/magick.c:176\r\n    #20 0x7fe56f84661f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #21 0x419138 in _init (\/usr\/bin\/magick+0x419138)\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n7.0.3.2<\/p>\n
Fixed version:<\/strong>
\n7.0.3.3<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/ImageMagick\/ImageMagick\/commit\/aea6c6507f55632829e6432f8177a084a57c9fcc<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2016-8862<\/p>\n
Timeline:<\/strong>
\n2016-09-14: bug discovered
\n2016-09-14: bug reported to upstream
\n2016-10-07: upstream released a patch
\n2016-10-08: upstream released 7.0.3.3
\n2016-10-17: blog post about the issue
\n2016-10-20: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)<\/a><\/p><\/blockquote>\n