Skip to content

CVE-2017-14172: denial of service (DoS) issue in ReadPSImage():664 in coders/ps.c #715

Closed
@shqking

Description

@shqking

Hello all.
We found a denial of service (DoS) issue in Imagemagick-7.0.7-0 Q16 x86_64, which can cause huge CPU and memory consumption.
Note that this issue is quite similar to issue #712 we have reported.

The vulnerable code is shown as below.

 653         /*
 654           Read Photoshop profile.
 655         */
 656         count=(ssize_t) sscanf(command,PhotoshopProfile " %lu",&extent)     ;
 657         if (count != 1)
 658           continue;
 659         length=extent;
 660         profile=BlobToStringInfo((const void *) NULL,length);
 661         if (profile != (StringInfo *) NULL)
 662           {
 663             q=GetStringInfoDatum(profile);
 664             for (i=0; i < (ssize_t) length; i++)
 665               *q++=(unsigned char) ProfileInteger(image,hex_digits);
 666             (void) SetImageProfile(image,"8bim",profile,exception);
 667             profile=DestroyStringInfo(profile);
 668           }
 669         continue;
 670       }

A crafted PS image file, which claims large length but does not contain sufficient backing data, would cause a large loop at line 664 since there is no EOF check inside.
PoC: https://github.com/shqking/imagemagick-poc/blob/master/x_ps_poc.ps
The command we was using is convert x_ps_poc.ps test.jpg
In our tests we used a machine with Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 4 CPU cores and 16GB RAM.
This issue caused 100% CPU and up to 8GB RAM consumption.
This process lasted for about 30 minutes.

Note that this issue was found by Xiaohei and Wangchu from Alibaba Security Team.
Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions