Skip to content

CVE-2017-14175: denial of service (DoS) issue in ReadXBMImage():345 in coders/xbm.c #712

Closed
@shqking

Description

@shqking

Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.6-1 Q16 x86_64, which can cause huge CPU and memory consumption.
These issues are quite similar to the bugs we have found in GraphicsMagick (CVE-2017-13775, CVE-2017-13776 and CVE-2017-13777).

The vulnerable code is shown as below.

344   if (version == 10)
345     for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
346     {
347       value=XBMInteger(image,hex_digits);
348       *p++=(unsigned char) value;
349       if ((padding == 0) || (((i+2) % bytes_per_line) != 0))
350         *p++=(unsigned char) (value >> 8);
351     }

A crafted XBM image file, which claims large image->rows and image->columns but does not contain sufficient backing data, would cause a large and heavy loop at line 345 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_xbm_poc.xbm
The command we was using is convert x_xbm_poc.xbm test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU and up to 4GB memory consumption.
Note that this process lasted for more than 7 minutes.

Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions