Bug 1642614 (CVE-2018-18544) - CVE-2018-18544 ImageMagick: memory leak in WriteMSLImage of coders/msl.c
Summary: CVE-2018-18544 ImageMagick: memory leak in WriteMSLImage of coders/msl.c
Keywords:
Status: NEW
Alias: CVE-2018-18544
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20181019,reported=2...
Depends On: 1650299 1642615
Blocks: 1637193 1642616
TreeView+ depends on / blocked
 
Reported: 2018-10-24 20:00 UTC by Laura Pardo
Modified: 2019-06-08 23:41 UTC (History)
3 users (show)

Fixed In Version: ImageMagick 7.0.8-13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-10-24 20:00:05 UTC
A flaw was found in ImageMagick 7.0.8-13 Q16. A memory leak in the function WriteMSLImage of coders/msl.c.


References:
https://github.com/ImageMagick/ImageMagick/issues/1360

Upstream Patch:
https://github.com/ImageMagick/ImageMagick/commit/c9c4ef4e7ca83d8a00effd16723f37946e89fbad

Comment 1 Laura Pardo 2018-10-24 20:00:41 UTC
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1642615]

Comment 4 Scott Gayou 2018-11-15 19:04:16 UTC
RHEL7:

```
==11842== Memcheck, a memory error detector
==11842== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==11842== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==11842== Command: convert poc test.msl
==11842== 
convert: unable to read font `poc' @ error/annotate.c/RenderFreetype/1361.
convert: non-conforming drawing primitive definition `text' @ error/draw.c/DrawImage/3352.
==11842== 
==11842== HEAP SUMMARY:
==11842==     in use at exit: 3,284,341 bytes in 6,098 blocks
==11842==   total heap usage: 36,922 allocs, 30,824 frees, 16,318,650 bytes allocated
==11842== 
==11842== 3,097,098 (13,248 direct, 3,083,850 indirect) bytes in 1 blocks are definitely lost in loss record 190 of 190
==11842==    at 0x483880B: malloc (vg_replace_malloc.c:299)
==11842==    by 0x498EA43: CloneImage (in /usr/lib64/libMagickCore-6.Q16.so.5.0.0)
==11842==    by 0x134279D7: ???
==11842==    by 0x48F564A: WriteImage (in /usr/lib64/libMagickCore-6.Q16.so.5.0.0)
==11842==    by 0x48F5F71: WriteImages (in /usr/lib64/libMagickCore-6.Q16.so.5.0.0)
==11842==    by 0x4B7A40F: ConvertImageCommand (in /usr/lib64/libMagickWand-6.Q16.so.5.0.0)
==11842==    by 0x4BE6B60: MagickCommandGenesis (in /usr/lib64/libMagickWand-6.Q16.so.5.0.0)
==11842==    by 0x1090FC: ??? (in /usr/bin/convert)
==11842==    by 0x5584412: (below main) (in /usr/lib64/libc-2.28.so)
==11842== 
==11842== LEAK SUMMARY:
==11842==    definitely lost: 13,248 bytes in 1 blocks
==11842==    indirectly lost: 3,083,850 bytes in 34 blocks
==11842==      possibly lost: 0 bytes in 0 blocks
==11842==    still reachable: 187,243 bytes in 6,063 blocks
==11842==         suppressed: 0 bytes in 0 blocks
==11842== Reachable blocks (those to which a pointer was found) are not shown.
==11842== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==11842== 
==11842== For counts of detected and suppressed errors, rerun with: -v
==11842== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```


Note You need to log in before you can comment on or make changes to this bug.