CVE-2018-14436

An attacker provides a crafted MIFF image file that triggers the `ReadMIFFImage` code path in ImageMagick 7.0.8-4 [ref_id=1]. The image must have a colormap and a quantum depth value that falls into the `default` case of the depth switch statement, causing `ThrowWriterException` to be invoked [ref_id=1]. Because the colormap memory is allocated before the switch but freed only in the normal branches, the exception path leaks the allocated buffer [ref_id=1]. Repeatedly processing such crafted images can exhaust available memory, leading to a denial-of-service condition.

The memory leak is in `ReadMIFFImage` in `coders/miff.c` [ref_id=1]. The allocation occurs at the colormap allocation block (around line 2420), where `AcquireQuantumMemory` is called for the colormap buffer [ref_id=1]. The `default` case in the `switch (quantum_info->depth)` statement throws an exception via `ThrowWriterException(CorruptImageError,"ImageDepthNotSupported")` without freeing the previously allocated colormap memory [ref_id=1].

The advisory does not include a patch diff, but the fix is implied by the bug report: the colormap memory must be freed before the `ThrowWriterException` call in the `default` branch of the depth switch [ref_id=1]. The reporter notes that the colormap is freed in the normal branch but "forgot free it in exception branch" [ref_id=1]. A proper fix would add a `colormap` deallocation (e.g., `colormap=(unsigned char *) RelinquishMagickMemory(colormap);`) immediately before each `ThrowWriterException` call that can be reached after the colormap allocation, or restructure the code to ensure cleanup occurs on all exit paths.