Source: src:imagemagick
Version: 8:6.9.7.4+dfsg-12
Severity: serious
Tags: security upstream
X-Debbugs-CC: [email protected]
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/546
When identify MPC file , imagemagick will allocate memory to store the
data, here is the critical code:
(Mpc.c , in function ReadMPCImage)
image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1, //856
sizeof(*image->colormap));
The “image->colors" can be obtained from local value “options” as
follow, and the options is controlled by image , in other words the
“image->colors" can be read from input file.
image->colors=StringToUnsignedLong(options); //402
The function StringToUnsignedLong convert string to unsigned long
type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.
