Source: src:imagemagick Version: 8:6.9.7.4+dfsg-12 Severity: serious Tags: security upstream X-Debbugs-CC: t...@security.debian.org control: found -1 8:6.8.9.9-5+deb8u8 control: found -1 8:6.8.9.9-5+deb8u9 control: found -1 8:6.7.7.10-5+deb7u14 control: found -1 8:6.7.7.10-5+deb7u4 forwarded: https://github.com/ImageMagick/ImageMagick/issues/546
When identify MPC file , imagemagick will allocate memory to store the data, here is the critical code: (Mpc.c , in function ReadMPCImage) image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1, //856 sizeof(*image->colormap)); The “image->colors" can be obtained from local value “options” as follow, and the options is controlled by image , in other words the “image->colors" can be read from input file. image->colors=StringToUnsignedLong(options); //402 The function StringToUnsignedLong convert string to unsigned long type, but the return value was not checked. Here is my policy.xml to limit memory usage,but 256MB limit can be bypassed.