Description
Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.7-0 Q16 x86_64, which can cause huge CPU and memory consumption.
Note that this issue is quite similar to issue #712 we have reported.
The vulnerable code is shown as below.
653 /*
654 Read Photoshop profile.
655 */
656 count=(ssize_t) sscanf(command,PhotoshopProfile " %lu",&extent) ;
657 if (count != 1)
658 continue;
659 length=extent;
660 profile=BlobToStringInfo((const void *) NULL,length);
661 if (profile != (StringInfo *) NULL)
662 {
663 q=GetStringInfoDatum(profile);
664 for (i=0; i < (ssize_t) length; i++)
665 *q++=(unsigned char) ProfileInteger(image,hex_digits);
666 (void) SetImageProfile(image,"8bim",profile,exception);
667 profile=DestroyStringInfo(profile);
668 }
669 continue;
670 }
A crafted PS image file, which claims large length but does not contain sufficient backing data, would cause a large loop at line 664 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_ps_poc.ps
The command we was using is convert x_ps_poc.ps test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU and up to 8GB RAM consumption.
This process lasted for about 30 minutes.
Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.
Thanks.