Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-14172: denial of service (DoS) issue in ReadPSImage():664 in coders/ps.c #715

Closed
shqking opened this issue Aug 31, 2017 · 2 comments
Labels

Comments

@shqking
Copy link

shqking commented Aug 31, 2017

Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.7-0 Q16 x86_64, which can cause huge CPU and memory consumption.
Note that this issue is quite similar to issue #712 we have reported.

The vulnerable code is shown as below.

 653         /*
 654           Read Photoshop profile.
 655         */
 656         count=(ssize_t) sscanf(command,PhotoshopProfile " %lu",&extent)     ;
 657         if (count != 1)
 658           continue;
 659         length=extent;
 660         profile=BlobToStringInfo((const void *) NULL,length);
 661         if (profile != (StringInfo *) NULL)
 662           {
 663             q=GetStringInfoDatum(profile);
 664             for (i=0; i < (ssize_t) length; i++)
 665               *q++=(unsigned char) ProfileInteger(image,hex_digits);
 666             (void) SetImageProfile(image,"8bim",profile,exception);
 667             profile=DestroyStringInfo(profile);
 668           }
 669         continue;
 670       }

A crafted PS image file, which claims large length but does not contain sufficient backing data, would cause a large loop at line 664 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_ps_poc.ps
The command we was using is convert x_ps_poc.ps test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU and up to 8GB RAM consumption.
This process lasted for about 30 minutes.

Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.
Thanks.

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@shqking
Copy link
Author

shqking commented Sep 7, 2017

This is CVE-2017-14172.

@shqking shqking changed the title denial of service (DoS) issue in ReadPSImage():664 in coders/ps.c CVE-2017-14172: denial of service (DoS) issue in ReadPSImage():664 in coders/ps.c Sep 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

3 participants