CVE-2017-11170

Vulnerability

The ReadTGAImage function in coders/tga.c of ImageMagick 7.0.5-6 has a memory leak vulnerability caused by insufficient validation of TGA or VST file headers. The fields tga_info.bits_per_pixel and tga_info.image_type are read directly from the file without bounds checking [1]. When image_type is set to a value that triggers PseudoClass storage, a large or overflowed image->colors value is used in AcquireImageColormap(), leading to excessive memory allocation [1].

Exploitation

An attacker can craft a malicious VST file with manipulated bits_per_pixel (e.g., values up to 32 on 32-bit systems cause overflow to 0, or large values on 64-bit systems cause allocation of up to 64 GB) and image_type (setting it to one of TGAColormap, TGAMonochrome, TGARLEColormap, or TGARLEMonochrome) to force PseudoClass storage [1]. The file is processed by ImageMagick, e.g., with magick identify $FILE, triggering the vulnerable code path before later security checks [1]. No authentication or user interaction beyond file processing is required.

Impact

Successful exploitation results in memory exhaustion, causing a denial of service. The application may consume all available memory, leading to crashes or system instability [1]. No code execution or privilege escalation is achieved.

Mitigation

A fix was committed to the ImageMagick repository after the issue was reported [1]. Users should upgrade to ImageMagick 7.0.5-7 or later. If upgrade is not possible, avoid processing untrusted TGA or VST files.