Description
INFO
Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 , which can cause huge CPU consumption. (CPU 100%)
magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib
The policy.xml is as following
<policymap>
<policy domain="resource" name="temporary-path" value="/tmp"/>
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="width" value="8KP"/>
<policy domain="resource" name="height" value="8KP"/>
<policy domain="resource" name="area" value="16KP"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="file" value="768"/>
<policy domain="resource" name="thread" value="2"/>
<policy domain="resource" name="throttle" value="0"/>
<policy domain="resource" name="time" value="120"/>
<policy domain="system" name="precision" value="6"/>
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="filter" rights="none" pattern="*" />
<policy domain="delegate" rights="none" pattern="HTTPS" />
<policy domain="path" rights="none" pattern="@*"/>
</policymap>
Trigger Command: magick convert cpu-exhaustion-ReadMIFFImage /dev/null
DEBUG
when debug we found the following code is lack of EOF check, which cause a infinite loop
coders/miff.c
1111 do
1112 {
1113 *p='\0';
1114 if ((strlen(image->directory)+MagickPathExtent) >= length)
1115 {
1116 /*
1117 Allocate more memory for the image directory.
1118 */
1119 length<<=1;
1120 image->directory=(char *) ResizeQuantumMemory(image->directory,
1121 length+MagickPathExtent,sizeof(*image->directory));
1122 if (image->directory == (char *) NULL)
1123 ThrowReaderException(CorruptImageError,"UnableToReadImageData");
1124 p=image->directory+strlen(image->directory);
1125 }
1126 c=ReadBlobByte(image);
1127 *p++=(char) c;
1128 } while (c != (int) '\0'); testcase: https://github.com/henices/pocs/raw/master/cpu-exhaustion-ReadMIFFImage
NSFocus Security Team <security (at) nsfocus (dot) com>