Imagemagick 6.3.7.9 and PSD file denial of service

[ricardo]

Hi guys,

I'm running Debian Etch with a backported Imagemagick version (6.3.7.9.dfsg1-2). Basically I'm writing this post because I have a big problem with this version. In my project I'm using identify to detect the image format, and, if it's JPEG, GIF or PNG, convert it and store, and if not, reject it. Basically my dedicated image processors are having problems with this detection, having a very strange behaviour. When I execute the identify over the image, identify start to write to /tmp/magick-xxxx.tmp a file until no space left of device. The server finally run out of space and start to fail. I discover that using strace.

The problem is absolutelly reploducible with a PSD image (Main layer with a image, and two layers, one with a line and other one empty). I can't provide you the image because it's a user image with personal information. Making some test I discovered that using -ping parameter the identify works fine. The output of that:

IMAGE PSD 300x400 300x400+0+0 DirectClass 8-bit 718.738kb

My versions are:
imagemagick 6.3.7.9.dfsg1-2
libmagick++10 6.3.7.9.dfsg1-2
libmagick10 6.3.7.9.dfsg1-2


I was searching in the forum about that, but I don't find anything about this version and this error, like a vulnerability, or whatever.

Thanks,

[magick]

Instead of

• identify image.psd

use

• identify 'image.pdf[0]'

that only returns the first layer of the image instead of all the layers. Otherwise, to allow ImageMagick to do its work you can point it to a path that has plenty of free space:

• export MAGICK_TMPDIR=/data/

Or limit the resources consumed by ImageMagick:

• identify -limit memory 32 -limit map 64 -list disk 1gb myimage.png

Here the program exits if more than 1gb of disk is consumed.

Consider the Q8 version of ImageMagick which consumes 1/2 the memory than the normal Q16 version.

[ricardo]

Thanks for your quickly response. I will review the code.

Regards,