Closed
Description
Version: ImageMagick 7.0.6-6 Q16 x86_64
cpu exhaustion was found in function ReadWPGImage, which allow attackers to cause a denial of service via a crafted file
#./identify $FILE
Here is the critical code
static Image *ReadWPGImage(const ImageInfo *image_info,
ExceptionInfo *exception)
{
....
Rd_WP_DWORD(image,&Rec.RecordLength); //1037, Rec.RecordLength can be controlled from file
....
if(Rec.RecordLength > 8)
image=ExtractPostscript(image,image_info,
TellBlob(image)+8, /* skip PS header in the wpg */
(ssize_t) Rec.RecordLength-8,exception); // Rec.RecordLength-8, is parameter PS_Size
break;
...
}
static Image *ExtractPostscript(Image *image,const ImageInfo *image_info,
MagickOffsetType PS_Offset,ssize_t PS_Size,ExceptionInfo *exception)
{
...
while(PS_Size-- > 0) // PS_Size can be controlled to cause cpu exhaustion and failed I/O
{
(void) fputc(ReadBlobByte(image),ps_file);
}
...
}
POC: https://github.com/jgj212/poc/blob/master/cpu-ReadWPGImage
Credit: ADLab of Venustech