Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cpu exhaustion in ReadWPGImage #654

Closed
jgj212 opened this issue Aug 6, 2017 · 2 comments
Closed

cpu exhaustion in ReadWPGImage #654

jgj212 opened this issue Aug 6, 2017 · 2 comments
Labels

Comments

@jgj212
Copy link
Contributor

jgj212 commented Aug 6, 2017

Version: ImageMagick 7.0.6-6 Q16 x86_64

cpu exhaustion was found in function ReadWPGImage, which allow attackers to cause a denial of service via a crafted file

#./identify $FILE

Here is the critical code

static Image *ReadWPGImage(const ImageInfo *image_info,
  ExceptionInfo *exception)
{
....
Rd_WP_DWORD(image,&Rec.RecordLength);   //1037, Rec.RecordLength can be controlled from file
....
if(Rec.RecordLength > 8)
                image=ExtractPostscript(image,image_info,
                  TellBlob(image)+8,   /* skip PS header in the wpg */
                  (ssize_t) Rec.RecordLength-8,exception); // Rec.RecordLength-8,  is parameter PS_Size
              break;   
...
}

static Image *ExtractPostscript(Image *image,const ImageInfo *image_info,
  MagickOffsetType PS_Offset,ssize_t PS_Size,ExceptionInfo *exception)
{
...
  while(PS_Size-- > 0)   // PS_Size can be controlled to cause cpu exhaustion and failed I/O
    {
      (void) fputc(ReadBlobByte(image),ps_file);
    }
...
}

POC: https://github.com/jgj212/poc/blob/master/cpu-ReadWPGImage
Credit: ADLab of Venustech

@jgj212 jgj212 changed the title memory exhaustion in ReadWPGImage cpu exhaustion in ReadWPGImage Aug 6, 2017
@mikayla-grace
Copy link

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Sep 13, 2017

This was assigned CVE-2017-14341.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants