Skip to content

CPU exhaustion in ReadMIFFImage #911

Closed
@henices

Description

@henices

INFO

Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 , which can cause huge CPU consumption. (CPU 100%)

magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib

The policy.xml is as following

<policymap>
  <policy domain="resource" name="temporary-path" value="/tmp"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="16KP"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="120"/>
  <policy domain="system" name="precision" value="6"/>
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="filter" rights="none" pattern="*" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />  
  <policy domain="path" rights="none" pattern="@*"/>  
</policymap>

Trigger Command: magick convert cpu-exhaustion-ReadMIFFImage /dev/null

DEBUG

when debug we found the following code is lack of EOF check, which cause a infinite loop

coders/miff.c

1111         do                                                                                                                                                                               
1112         {                                                                                                                                                                                
1113           *p='\0';                                                                                                                                                                       
1114           if ((strlen(image->directory)+MagickPathExtent) >= length)                                                                                                                     
1115             {                                                                                                                                                                            
1116               /*                                                                                                                                                                         
1117                 Allocate more memory for the image directory.                                                                                                                            
1118               */                                                                                                                                                                         
1119               length<<=1;                                                                                                                                                                
1120               image->directory=(char *) ResizeQuantumMemory(image->directory,                                                                                                            
1121                 length+MagickPathExtent,sizeof(*image->directory));                                                                                                                      
1122               if (image->directory == (char *) NULL)                                                                                                                                     
1123                 ThrowReaderException(CorruptImageError,"UnableToReadImageData");                                                                                                         
1124               p=image->directory+strlen(image->directory);                                                                                                                               
1125             }                                                                                                                                                                            
1126           c=ReadBlobByte(image);                                                                                                                                                         
1127           *p++=(char) c;                                                                                                                                                                 
1128         } while (c != (int) '\0');  

testcase: https://github.com/henices/pocs/raw/master/cpu-exhaustion-ReadMIFFImage

NSFocus Security Team <security (at) nsfocus (dot) com>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions