Skip to content

CVE-2017-14174: denial of service (DoS) issue in ReadPSDLayersInternal():1707 in coders/psd.c #714

Closed
@shqking

Description

@shqking

Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.7-0 Q16 x86_64, which can cause huge CPU consumption.
Note that this issue is quite similar to issue #712 we have reported.

The vulnerable code is shown as below.

1707                 for (j=0; j < (ssize_t) length; j+=8)
1708                 {
1709                   size_t blend_source=ReadBlobLong(image);
1710                   size_t blend_dest=ReadBlobLong(image);
1711                   if (image->debug != MagickFalse)
1712                     (void) LogMagickEvent(CoderEvent,GetMagickModule(),
1713                       "        source(%x), dest(%x)",(unsigned int)
1714                       blend_source,(unsigned int) blend_dest);
1715                 }

A crafted PSD image file, which claims large length but does not contain sufficient backing data, would cause a large loop at line 1707 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_psd_poc.psd
The command we was using is convert x_psd_poc.psd test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU for more than 3 and a half minutes.

Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.
Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions