CVE-2017-14174

Vulnerability

A denial-of-service vulnerability exists in ImageMagick version 7.0.7-0 Q16 within the ReadPSDLayersInternal() function in coders/psd.c. The issue occurs because the loop at line 1707 iterates based on a length field from the PSD file header without verifying the end-of-file (EOF) condition inside the loop. When a crafted PSD file claims a large length but contains insufficient backing data, the loop continues consuming CPU resources indefinitely [3].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted PSD image file with a manipulated length field. The attacker does not need any special network position or authentication; the attack vector is remote and user interaction is required—the victim must open or process the malicious file using ImageMagick (e.g., via the convert command). The loop iterates in 8-byte steps, reading two 4-byte values per iteration, and with no EOF check, it continues until the file descriptor error or until the system runs out of resources [3].

Impact

Successful exploitation results in a denial of service: the ImageMagick process consumes 100% CPU for an extended period (over 3.5 minutes in testing) and may become unresponsive. The issue is limited to CPU exhaustion and does not lead to code execution, privilege escalation, or data disclosure [1][3].

Mitigation

A fix was implemented in commit 04a567494786d5bb50894fc8bb8fea0cf496bea8 which replaces the vulnerable loop with a DiscardBlobBytes() call that includes an EOF check [2]. Patched versions are included in Ubuntu security update USN-3681-1 (for ImageMagick packages) and in Gentoo GLSA 201711-07 (for ImageMagick >= 6.9.9.20 and >= 7.0.7-0) [1][4]. Users should update to the latest patched version of ImageMagick. No workaround is available if the patch is not installed [4].