Skip to content

cpu exhaustion in ReadWPGImage #870

Closed
@henices

Description

@henices

Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-12 Q16 x86_64 , which can cause huge CPU consumption. (cpu 100%)

The policy.xml is as following

<policymap>
  <policy domain="resource" name="temporary-path" value="/tmp"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="16KP"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="120"/>
  <policy domain="system" name="precision" value="6"/>
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="filter" rights="none" pattern="*" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />  
  <policy domain="path" rights="none" pattern="@*"/>  
</policymap>

convert ReadWPGImage-cpu-exhaustion /dev/null

gdb backtrace

0x00007ffff413e1c5 in ReadBlobByte (image=0x607c00011900) at MagickCore/blob.c:3661            
3661          p=(const unsigned char *) ReadBlobStream(image,1,buffer,&count);                 
(gdb) bt                                       
#0  0x00007ffff413e1c5 in ReadBlobByte (image=0x607c00011900) at MagickCore/blob.c:3661        
#1  0x00007ffff47dc5f0 in ExtractPostscript (image=0x607c00011900, image_info=0x607a0000d100, PS_Offset=71672, PS_Size=2013292078, exception=0x600c0000b0c0) at coders/wpg.c:769               
#2  0x00007ffff47e10a2 in ReadWPGImage (image_info=0x607a0000d100, exception=0x600c0000b0c0) at coders/wpg.c:1408                                                                              
#3  0x00007ffff41c56d6 in ReadImage (image_info=0x607a00010500, exception=0x600c0000b0c0) at MagickCore/constitute.c:497                                                                       
#4  0x00007ffff41c7d3c in ReadImages (image_info=0x607a00013900, filename=0x60040000c710 "/tmp/cpu4.poc", exception=0x600c0000b0c0) at MagickCore/constitute.c:866                             
#5  0x00007ffff39e179c in ConvertImageCommand (image_info=0x607a00013900, argc=3, argv=0x60060000ed10, metadata=0x7fffffffc090, exception=0x600c0000b0c0) at MagickWand/convert.c:641          
#6  0x00007ffff3b84a11 in MagickCommandGenesis (image_info=0x607a00016d00, command=0x4010d0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe4d8, metadata=0x0, exception=0x600c0000b0c0)    
    at MagickWand/mogrify.c:183                                                                
#7  0x000000000040164d in MagickMain (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:149   
#8  0x00000000004017e2 in main (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:180   

When debug we found a very large number in PS_Size

(gdb) n                                                                                                                                                                                        
3662          if (count != 1)                                                                                                                                                                  
(gdb)                                                                         
3663            return(EOF);                                                   
(gdb)                                                                          
3625    {                                                                      
(gdb)                                                                           
3668    }                                                                     
(gdb)                                                                          
ExtractPostscript (image=0x607c00011900, image_info=0x607a0000d100, PS_Offset=71672, PS_Size=2013292078, exception=0x600c0000b0c0) at coders/wpg.c:767                                         
767       while(PS_Size-- > 0)                                                 
(gdb)                                                                           
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                          
767       while(PS_Size-- > 0)                 
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                                                     
767       while(PS_Size-- > 0)                 
(gdb)                                            
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                                             
767       while(PS_Size-- > 0)                                            
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                               
767       while(PS_Size-- > 0)                 
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                            
767       while(PS_Size-- > 0)                 
(gdb)                                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                          
767       while(PS_Size-- > 0)                                  
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb) p PS_Size                                
$1 = 2013292071    

testcase:
https://github.com/henices/pocs/raw/master/ReadWPGImage-cpu-exhaustion

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions