A memory leak vulnerability exists in the LoadOpenCLDeviceBenchmark() function in MagickCore/opencl.c. When parsing a malformed OpenCL device profile XML file that contains <device elements without proper /> closing tags, the function fails to release allocated memory for string members (platform_name, vendor_name, name, version), leading to memory leaks that could result in resource exhaustion.
Affected Version: ImageMagick 7.1.2-12 and possibly earlier versions
The vulnerability is located in MagickCore/opencl.c, function LoadOpenCLDeviceBenchmark() (lines 754-911).
Root Cause Analysis:
<device tag is encountered, a MagickCLDeviceBenchmark structure is allocated (line 807-812)platform, vendor, name, version) are allocated via ConstantString() (lines 878, 885, 898, 900)/> closing tag is encountered (lines 840-849)device_benchmark structure is freed, but its member variables are not freed if /> was never parsedVulnerable Code (lines 908-910):
token=(char *) RelinquishMagickMemory(token);
device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(
device_benchmark); // BUG: members (platform_name, vendor_name, name, version) not freed!
Correct cleanup (only executed when /> is found, lines 840-849):
device_benchmark->platform_name=(char *) RelinquishMagickMemory(device_benchmark->platform_name);
device_benchmark->vendor_name=(char *) RelinquishMagickMemory(device_benchmark->vendor_name);
device_benchmark->name=(char *) RelinquishMagickMemory(device_benchmark->name);
device_benchmark->version=(char *) RelinquishMagickMemory(device_benchmark->version);
device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device_benchmark);
Environment:
14.10.214.10.214.10.214.10.214.10.214.10.214.10.214.10.214.10.214.10.2Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:NI:LA:H6.5/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H