Skip to content

cpu exhaustion in ReadWPGImage #654

Closed
@jgj212

Description

@jgj212

Version: ImageMagick 7.0.6-6 Q16 x86_64

cpu exhaustion was found in function ReadWPGImage, which allow attackers to cause a denial of service via a crafted file

#./identify $FILE

Here is the critical code

static Image *ReadWPGImage(const ImageInfo *image_info,
  ExceptionInfo *exception)
{
....
Rd_WP_DWORD(image,&Rec.RecordLength);   //1037, Rec.RecordLength can be controlled from file
....
if(Rec.RecordLength > 8)
                image=ExtractPostscript(image,image_info,
                  TellBlob(image)+8,   /* skip PS header in the wpg */
                  (ssize_t) Rec.RecordLength-8,exception); // Rec.RecordLength-8,  is parameter PS_Size
              break;   
...
}

static Image *ExtractPostscript(Image *image,const ImageInfo *image_info,
  MagickOffsetType PS_Offset,ssize_t PS_Size,ExceptionInfo *exception)
{
...
  while(PS_Size-- > 0)   // PS_Size can be controlled to cause cpu exhaustion and failed I/O
    {
      (void) fputc(ReadBlobByte(image),ps_file);
    }
...
}

POC: https://github.com/jgj212/poc/blob/master/cpu-ReadWPGImage
Credit: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions