CVE-2014-1947: 
ImageMagick vulnerability analysis and mitigation

CVE-2014-1947 is a stack-based buffer overflow vulnerability in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier. The vulnerability occurs when handling PSD images with a large number of layers, specifically involving the L%02ld string format. The issue was discovered and disclosed in February 2014, affecting both ImageMagick and GraphicsMagick image processing software (CVE Details).

The vulnerability stems from a buffer overflow condition in the WritePSDImage function where the code did not properly handle cases with more than 99 layers. When processing PSD files, the function uses a format string 'L%02ld' to create layer names, but the destination buffer (layer_name[4]) is too small to accommodate layer numbers beyond 99. For example, L99\0 is safe, but L100\0 causes a buffer overflow of 1 or more bytes (OSS Security). In GraphicsMagick, while the vulnerability exists, it is caught by the fortify source buffer overflow protection (Red Hat).

The vulnerability allows remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via a PSD image containing a large number of layers (CVE Details). The maximum overflow is architecture-dependent, with potential for up to 18 bytes of overflow on 64-bit systems (Red Hat).

The vulnerability was fixed in ImageMagick with changeset 13736, which increased the size of the layer_name buffer to accommodate larger layer numbers. Various Linux distributions have released security updates to address this vulnerability, including SUSE Enterprise Linux (SUSE) and Red Hat-based systems. For GraphicsMagick, the fix was implemented in changeset 14139:a083f9eeef1d (Red Hat).