CVE-2020-27560

Vulnerability

ImageMagick version 7.0.10-34 contains a division-by-zero bug in the OptimizeLayerFrames function located in MagickCore/layer.c. The vulnerability occurs when computing the cumulative time for disposing frames: the code divides curr->delay*1000 by curr->ticks_per_second without checking whether ticks_per_second is zero. This flaw is reachable when processing specially crafted image files that set ticks_per_second to zero, leading to a crash via division by zero.

Exploitation

An attacker can trigger the vulnerability by providing a crafted image file (e.g., a malformed GIF or other layered format) that causes curr->ticks_per_second to be zero. No authentication or special user privileges are required; the attacker only needs to deliver the file to a victim or service using ImageMagick for processing. When the function OptimizeLayerFrames is called during image processing, the division operation occurs without a prior zero check, immediately causing a division-by-zero error.

Impact

Successful exploitation results in a denial of service (DoS) — the application or service crashes due to the arithmetic exception. Depending on the environment, this could cause disruption of image processing services, temporary unavailability, or in worst-case scenarios, repeated crashes leading to extended downtime. The vulnerability does not lead to information disclosure or code execution.

Mitigation

The fix was committed in commit ef59bd7 to the ImageMagick repository, which replaces the direct division with a multiplication using PerceptibleReciprocal, a function that safely handles zero divisors. Users should update ImageMagick to a version including this commit or later (e.g., 7.0.10-35 or newer). If an immediate update is not possible, avoid processing untrusted image files, especially those from unknown sources, until a patch can be applied.

Citations in body: [1] — referenced in the commit details and description.