Improper control of interaction frequency In magick.net-q16-openmp-x64
Description
ImageMagick has a Memory Leak in magick stream
Summary
In ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak.
Details
Vulnerability Type: Memory leak
Affected Version: ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)
Reproduction
Tested Environment
Operating System: Ubuntu 22.04 LTS
Architecture: x86_64
Compiler: gcc with AddressSanitizer (gcc version: 11.4.0)
Reproduction Steps
# Clone source git clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1 cd ImageMagick-7.1.1 # Build with ASan CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" LDFLAGS="-fsanitize=address" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install # Trigger crash...
Output
$ magick stream %d%d a a stream: no decode delegate for this image format `' @ error/constitute.c/ReadImage/746. stream: missing an image filename `a' @ error/stream.c/StreamImageCommand/755. ================================================================= ==114==ERROR: LeakSanitizer: detected memory leaks Direct leak of 152 byte(s) in 1 object(s) allocated from:...
Commits
Fixed in https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c and https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 nuget | 14.7.0 | ||
nuget | 14.7.0 | ||
nuget | 14.7.0 | ||
nuget | 14.7.0 | ||
nuget | 14.7.0 | ||
nuget | 14.7.0 | ||
nuget | 14.7.0 | ||
 debian 11 | 8:6.9.11.60+dfsg-1.3+deb11u6 | ||
debian 12 | 8:6.9.11.60+dfsg-1.6+deb12u4 | ||
debian 13 | 8:7.1.1.43+dfsg1-1+deb13u1 |
1-10 of 24
10
Aliases
References