CVE-2017-12669

Vulnerability

ImageMagick version 7.0.6-2 contains a memory leak in the WriteCALSImage function in coders/cals.c. When converting an image to the CALS format, if certain error conditions occur (e.g., failure to clone the image or allocate memory), the write_info structure is not properly freed, leading to a memory leak [1]. The issue is triggered during the convert command when processing a crafted input file.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted image file that, when processed by ImageMagick's convert command to CALS format, triggers an error path in WriteCALSImage that does not free allocated memory [1]. The attacker does not require authentication; only the ability to deliver the malicious file to a user or service using ImageMagick.

Impact

Successful exploitation leads to a memory leak, which can gradually exhaust available memory, causing a denial of service (DoS) condition [1]. The leaked memory is 13024 bytes per image processing, as shown in the AddressSanitizer report. Repeated processing of such images can cause the application or system to run out of memory.

Mitigation

The fix was implemented in commit 73b6c35 [2] by adding DestroyImageInfo(write_info) calls before returning on error paths in WriteCALSImage. Users should update to a patched version of ImageMagick. If immediate update is not possible, avoid processing untrusted images with the CALS format until the patch is applied.