Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-14175: denial of service (DoS) issue in ReadXBMImage():345 in coders/xbm.c #712

Closed
shqking opened this issue Aug 31, 2017 · 7 comments
Labels

Comments

@shqking
Copy link

shqking commented Aug 31, 2017

Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.6-1 Q16 x86_64, which can cause huge CPU and memory consumption.
These issues are quite similar to the bugs we have found in GraphicsMagick (CVE-2017-13775, CVE-2017-13776 and CVE-2017-13777).

The vulnerable code is shown as below.

344   if (version == 10)
345     for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
346     {
347       value=XBMInteger(image,hex_digits);
348       *p++=(unsigned char) value;
349       if ((padding == 0) || (((i+2) % bytes_per_line) != 0))
350         *p++=(unsigned char) (value >> 8);
351     }

A crafted XBM image file, which claims large image->rows and image->columns but does not contain sufficient backing data, would cause a large and heavy loop at line 345 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_xbm_poc.xbm
The command we was using is convert x_xbm_poc.xbm test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU and up to 4GB memory consumption.
Note that this process lasted for more than 7 minutes.

Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@shqking
Copy link
Author

shqking commented Aug 31, 2017

Can we request a CVE ID for this issue?
If yes, please credit it to Xiaohei and Wangchu from Alibaba Security Team.

@urban-warrior
Copy link
Contributor

Yes, request a CVE.

@shqking
Copy link
Author

shqking commented Aug 31, 2017

I mean can we request a CVE ID from you, or do we have to get one from MITRE?

@urban-warrior
Copy link
Contributor

We don't issue CVE's.

@shqking
Copy link
Author

shqking commented Aug 31, 2017

OK. I see.
Thanks for your reply.

@shqking
Copy link
Author

shqking commented Sep 7, 2017

This is CVE-2017-14175.

@shqking shqking changed the title denial of service (DoS) issue in ReadXBMImage():345 in coders/xbm.c CVE-2017-14175: denial of service (DoS) issue in ReadXBMImage():345 in coders/xbm.c Sep 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants