Headline
GHSA-qp59-x883-77qv: ImageMagick has a Memory Leak in LoadOpenCLDeviceBenchmark() when parsing malformed XML
Summary
A memory leak vulnerability exists in the LoadOpenCLDeviceBenchmark() function in MagickCore/opencl.c. When parsing a malformed OpenCL device profile XML file that contains <device elements without proper /> closing tags, the function fails to release allocated memory for string members (platform_name, vendor_name, name, version), leading to memory leaks that could result in resource exhaustion.
Affected Version: ImageMagick 7.1.2-12 and possibly earlier versions
Details
The vulnerability is located in MagickCore/opencl.c, function LoadOpenCLDeviceBenchmark() (lines 754-911).
Root Cause Analysis:
- When a
<devicetag is encountered, aMagickCLDeviceBenchmarkstructure is allocated (line 807-812) - String attributes (
platform,vendor,name,version) are allocated viaConstantString()(lines 878, 885, 898, 900) - These strings are only freed when a
/>closing tag is encountered (lines 840-849) - At function exit (lines 908-910), only the
device_benchmarkstructure is freed, but its member variables are not freed if/>was never parsed
Vulnerable Code (lines 908-910):
token=(char *) RelinquishMagickMemory(token);
device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(
device_benchmark); // BUG: members (platform_name, vendor_name, name, version) not freed!
Correct cleanup (only executed when /> is found, lines 840-849):
device_benchmark->platform_name=(char *) RelinquishMagickMemory(device_benchmark->platform_name);
device_benchmark->vendor_name=(char *) RelinquishMagickMemory(device_benchmark->vendor_name);
device_benchmark->name=(char *) RelinquishMagickMemory(device_benchmark->name);
device_benchmark->version=(char *) RelinquishMagickMemory(device_benchmark->version);
device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device_benchmark);
PoC
Environment:
- OS: Ubuntu 22.04.5 LTS (Linux 6.8.0-87-generic x86_64)
- Compiler: GCC 11.4.0
- ImageMagick: 7.1.2-13 (commit
a52c1b402be08ef8ae193f28ac5b2e120f2fa26f)
Step 1: Build ImageMagick with AddressSanitizer
cd ImageMagick
./configure \
CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" \
CXXFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" \
LDFLAGS="-fsanitize=address" \
--disable-openmp
make -j$(nproc)
Step 2: Create malformed XML file
Step 3: Place file in OpenCL cache directory
mkdir -p ~/.cache/ImageMagick
cp malformed_opencl_profile.xml ~/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile.xml
Step 4: Run ImageMagick with leak detection
export ASAN_OPTIONS="detect_leaks=1:symbolize=1"
./utilities/magick -size 100x100 xc:red output.png
ASAN Output:
=================================================================
==2543490==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 96 byte(s) in 2 object(s) allocated from:
#0 ... in AcquireMagickMemory MagickCore/memory.c:536
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:807
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:878 ← name
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:885 ← platform_name
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:898 ← vendor_name
Direct leak of 15 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:900 ← version
SUMMARY: AddressSanitizer: 203 byte(s) leaked in 18 allocation(s).
Impact
Vulnerability Type: CWE-401 (Missing Release of Memory after Effective Lifetime)
Severity: Low
Who is impacted:
- Users who have OpenCL enabled in ImageMagick
- Systems where an attacker can place or modify files in the OpenCL cache directory (
~/.cache/ImageMagick/) - Long-running ImageMagick processes or services that repeatedly initialize OpenCL
Potential consequences:
- Memory exhaustion over time if the malformed configuration is repeatedly loaded
- Denial of Service (DoS) in resource-constrained environments
Attack Vector: Local - requires write access to the user’s OpenCL cache directory
Summary
A memory leak vulnerability exists in the LoadOpenCLDeviceBenchmark() function in MagickCore/opencl.c. When parsing a malformed OpenCL device profile XML file that contains <device elements without proper /> closing tags, the function fails to release allocated memory for string members (platform_name, vendor_name, name, version), leading to memory leaks that could result in resource exhaustion.
Affected Version: ImageMagick 7.1.2-12 and possibly earlier versions
Details
The vulnerability is located in MagickCore/opencl.c, function LoadOpenCLDeviceBenchmark() (lines 754-911).
Root Cause Analysis:
- When a <device tag is encountered, a MagickCLDeviceBenchmark structure is allocated (line 807-812)
- String attributes (platform, vendor, name, version) are allocated via ConstantString() (lines 878, 885, 898, 900)
- These strings are only freed when a /> closing tag is encountered (lines 840-849)
- At function exit (lines 908-910), only the device_benchmark structure is freed, but its member variables are not freed if /> was never parsed
Vulnerable Code (lines 908-910):
token=(char *) RelinquishMagickMemory(token); device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory( device_benchmark); // BUG: members (platform_name, vendor_name, name, version) not freed!
Correct cleanup (only executed when /> is found, lines 840-849):
device_benchmark->platform_name=(char *) RelinquishMagickMemory(device_benchmark->platform_name); device_benchmark->vendor_name=(char *) RelinquishMagickMemory(device_benchmark->vendor_name); device_benchmark->name=(char *) RelinquishMagickMemory(device_benchmark->name); device_benchmark->version=(char *) RelinquishMagickMemory(device_benchmark->version); device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device_benchmark);
PoC
Environment:
- OS: Ubuntu 22.04.5 LTS (Linux 6.8.0-87-generic x86_64)
- Compiler: GCC 11.4.0
- ImageMagick: 7.1.2-13 (commit a52c1b402be08ef8ae193f28ac5b2e120f2fa26f)
Step 1: Build ImageMagick with AddressSanitizer
cd ImageMagick ./configure \ CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" \ CXXFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" \ LDFLAGS="-fsanitize=address" \ –disable-openmp make -j$(nproc)
Step 2: Create malformed XML file
Step 3: Place file in OpenCL cache directory
mkdir -p ~/.cache/ImageMagick cp malformed_opencl_profile.xml ~/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile.xml
Step 4: Run ImageMagick with leak detection
export ASAN_OPTIONS="detect_leaks=1:symbolize=1" ./utilities/magick -size 100x100 xc:red output.png
ASAN Output:
=================================================================
==2543490==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 96 byte(s) in 2 object(s) allocated from:
#0 ... in AcquireMagickMemory MagickCore/memory.c:536
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:807
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:878 ← name
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:885 ← platform_name
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:898 ← vendor_name
Direct leak of 15 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:900 ← version
SUMMARY: AddressSanitizer: 203 byte(s) leaked in 18 allocation(s).
Impact
Vulnerability Type: CWE-401 (Missing Release of Memory after Effective Lifetime)
Severity: Low
Who is impacted:
- Users who have OpenCL enabled in ImageMagick
- Systems where an attacker can place or modify files in the OpenCL cache directory (~/.cache/ImageMagick/)
- Long-running ImageMagick processes or services that repeatedly initialize OpenCL
Potential consequences:
- Memory exhaustion over time if the malformed configuration is repeatedly loaded
- Denial of Service (DoS) in resource-constrained environments
Attack Vector: Local - requires write access to the user’s OpenCL cache directory
References
- GHSA-qp59-x883-77qv
- https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2