CVE-2017-12667

Vulnerability

ImageMagick version 7.0.6-1 contains a memory leak vulnerability in the ReadMATImage function located in coders/mat.c [1]. When a malformed MAT file is processed, the code path that jumps to the MATLAB_KO label does not properly deallocate the clone_info structure before throwing an exception, resulting in unreleased memory allocations [2]. This affects all systems using this version of ImageMagick to process MATLAB MAT files.

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted MAT file that fails the header identifier check (strncmp(MATLAB_HDR.identific, "MATLAB", 6) != 0) [1]. The attacker only needs to deliver this file to a victim who then processes it with ImageMagick's identify or convert commands. No authentication or special privileges are required beyond the ability to supply the malformed file as input.

Impact

Successful exploitation causes a direct memory leak of at least 13,024 bytes and indirect leaks of 9,096 and 88 bytes [1]. Repeated processing of malicious MAT files can lead to memory exhaustion, potentially causing denial of service (DoS) by crashing the application or causing the system to become unresponsive. The CIA outcome is primarily availability impact, with no direct confidentiality or integrity compromise.

Mitigation

A fix was committed by ImageMagick on an unspecified date in commit bfb7915 which adds clone_info=DestroyImageInfo(clone_info); before the ThrowReaderException call in the error handler [2]. Users should upgrade to a version of ImageMagick that includes this fix (e.g., 7.0.6-2 or later). If upgrading is not possible, avoid processing MAT files from untrusted sources as a workaround. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.