Description
Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.6-1 Q16 x86_64, which can cause huge CPU and memory consumption.
These issues are quite similar to the bugs we have found in GraphicsMagick (CVE-2017-13775, CVE-2017-13776 and CVE-2017-13777).
The vulnerable code is shown as below.
344 if (version == 10)
345 for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
346 {
347 value=XBMInteger(image,hex_digits);
348 *p++=(unsigned char) value;
349 if ((padding == 0) || (((i+2) % bytes_per_line) != 0))
350 *p++=(unsigned char) (value >> 8);
351 }
A crafted XBM image file, which claims large image->rows and image->columns but does not contain sufficient backing data, would cause a large and heavy loop at line 345 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_xbm_poc.xbm
The command we was using is convert x_xbm_poc.xbm test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU and up to 4GB memory consumption.
Note that this process lasted for more than 7 minutes.
Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.