New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CPU exhaustion in ReadMIFFImage #911

henices opened this Issue Dec 22, 2017 · 2 comments


None yet
3 participants
Copy link

henices commented Dec 22, 2017


Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22 , which can cause huge CPU consumption. (CPU 100%)

magick -version
Version: ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22
Copyright: © 1999-2018 ImageMagick Studio LLC
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma pangocairo png rsvg tiff webp wmf x xml zlib

The policy.xml is as following

  <policy domain="resource" name="temporary-path" value="/tmp"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="16KP"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="120"/>
  <policy domain="system" name="precision" value="6"/>
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="filter" rights="none" pattern="*" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />  
  <policy domain="path" rights="none" pattern="@*"/>  

Trigger Command: magick convert cpu-exhaustion-ReadMIFFImage /dev/null


when debug we found the following code is lack of EOF check, which cause a infinite loop


1111         do                                                                                                                                                                               
1112         {                                                                                                                                                                                
1113           *p='\0';                                                                                                                                                                       
1114           if ((strlen(image->directory)+MagickPathExtent) >= length)                                                                                                                     
1115             {                                                                                                                                                                            
1116               /*                                                                                                                                                                         
1117                 Allocate more memory for the image directory.                                                                                                                            
1118               */                                                                                                                                                                         
1119               length<<=1;                                                                                                                                                                
1120               image->directory=(char *) ResizeQuantumMemory(image->directory,                                                                                                            
1121                 length+MagickPathExtent,sizeof(*image->directory));                                                                                                                      
1122               if (image->directory == (char *) NULL)                                                                                                                                     
1123                 ThrowReaderException(CorruptImageError,"UnableToReadImageData");                                                                                                         
1124               p=image->directory+strlen(image->directory);                                                                                                                               
1125             }                                                                                                                                                                            
1126           c=ReadBlobByte(image);                                                                                                                                                         
1127           *p++=(char) c;                                                                                                                                                                 
1128         } while (c != (int) '\0');  


NSFocus Security Team <security (at) nsfocus (dot) com>

urban-warrior pushed a commit that referenced this issue Dec 22, 2017


urban-warrior pushed a commit that referenced this issue Dec 22, 2017


This comment has been minimized.

Copy link

urban-warrior commented Dec 22, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ later today. The patch will be available in the beta releases of ImageMagick @ by sometime tomorrow.

@henices henices closed this Dec 22, 2017


This comment has been minimized.

Copy link

nohmask commented May 21, 2018

This was assigned CVE-2017-18271.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment