Package Instance

ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash
The NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte.

ImageMagick has uninitialized pointer dereference in JBIG decoder
An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check.

ImageMagick has heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation
A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur.

```
=================================================================
==741961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000083dc at pc 0x56553b4c4245 bp 0x7ffd9d20fef0 sp 0x7ffd9d20fee0
WRITE of size 1 at 0x5020000083dc thread T0
```

ImageMagick has stack write buffer overflow in MNG encoder
A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data.

```
==2265506==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffec4971310 at pc 0x55e671b8a072 bp 0x7ffec4970f70 sp 0x7ffec4970f68
WRITE of size 1 at 0x7ffec4971310 thread T0
```

ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder
In MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read.

```
=================================================================
==969652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000003b40 at pc 0x555557b2a926 bp 0x7fffffff4c80 sp 0x7fffffff4c70
READ of size 8 at 0x506000003b40 thread T0
```

ImageMagick has heap-based buffer overflow in UHDR encoder
A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write.

```
================================================================
==2158399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x521000039500 at pc 0x562a4a42f968 bp 0x7ffcca4ed6c0 sp 0x7ffcca4ed6b0
WRITE of size 1 at 0x521000039500 thread T0
```

ImageMagick has Heap Use-After-Free in ImageMagick MSL decoder
A heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file.

```
=================================================================
==1500633==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000011550 at pc 0x5612583fa212 bp 0x7ffedb86d160 sp 0x7ffedb86d150
READ of size 8 at 0x527000011550 thread T0
```

ImageMagick has Heap Buffer Over-Read in BilateralBlurImage
BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the `-bilateral-blur` operation an out of bounds read can occur.

```
=================================================================
==676172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50a0000079c0 at pc 0x57b483c722f7 bp 0x7fffc0acd380 sp 0x7fffc0acd370
READ of size 4 at 0x50a0000079c0 thread T0
```

ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage
A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur.

```
=================================================================
==661320==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000002754 at pc 0x5ff45f82c92a bp 0x7fffb732b400 sp 0x7fffb732b3f0
WRITE of size 4 at 0x503000002754 thread T0
```

ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder
An extremely large image profile could result in a heap overflow when encoding a PNG image.

ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder
An overflow on  32-bit systems can cause a crash in the SFW decoder when processing extremely large images.

ImageMagick has heap use-after-free in the MSL encoder
A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. 

```
SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage
Shadow bytes around the buggy address:
  0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
```