CVE-2018-10804
Description
ImageMagick 7.0.7-28 has a memory leak in WriteTIFFImage that can be triggered by a crafted image, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.7-28 has a memory leak in WriteTIFFImage that can be triggered by a crafted image, leading to denial of service.
Vulnerability
ImageMagick version 7.0.7-28 contains a memory leak in the WriteTIFFImage function in coders/tiff.c. When processing a TIFF image, the function allocates a QuantumInfo structure via AcquireQuantumInfo [1]. If the image meets certain conditions (storage class not PseudoClass, depth ≥ 32, undefined quantum format, and high dynamic range), it attempts to set the quantum format to floating point. If SetQuantumFormat fails (e.g., due to resource limits), the function returns without freeing the previously allocated quantum_info, causing a memory leak [1].
Exploitation
An attacker can exploit this vulnerability by providing a crafted TIFF image that satisfies the required conditions: storage_class != PseudoClass, depth >= 32, quantum_info->format == UndefinedQuantumFormat, and IsHighDynamicRangeImage returning true. The attacker does not need authentication or special privileges; they only need to submit the image to an application using ImageMagick to process it. Repeated processing of such images can exhaust available memory, leading to denial of service.
Impact
Successful exploitation results in a memory leak, which can lead to memory exhaustion and denial of service. The attacker gains no code execution or data access; the impact is limited to availability.
Mitigation
The issue was reported in the ImageMagick issue tracker [1]. The available reference does not specify a fixed version; users should upgrade to the latest version of ImageMagick (7.0.7-29 or later) if a patch has been released, or apply any vendor-supplied update. As a workaround, avoid processing untrusted TIFF images with ImageMagick until a fix is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: = 7.0.7-28
- osv-coords5 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 6.8.8.1-71.65.1+ 4 more
- (no CPE)range: < 6.8.8.1-71.65.1
- (no CPE)range: < 6.8.8.1-71.65.1
- (no CPE)range: < 6.8.8.1-71.65.1
- (no CPE)range: < 6.8.8.1-71.65.1
- (no CPE)range: < 6.8.8.1-71.65.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing deallocation of `quantum_info` before an error return in `WriteTIFFImage` causes a memory leak."
Attack vector
An attacker provides a crafted TIFF image that triggers the `SetQuantumFormat` failure path inside `WriteTIFFImage`. The image must satisfy the conditions at line 3508–3510 (storage class not `PseudoClass`, depth >= 32, `UndefinedQuantumFormat`, and `IsHighDynamicRangeImage` true) so that `SetQuantumFormat` is called. When that call fails, the error-exit path leaks the previously allocated `quantum_info` memory [ref_id=1]. Repeated processing of such images can exhaust memory resources.
Affected code
The memory leak occurs in `WriteTIFFImage` in `coders/tiff.c`. At approximately line 3506, `AcquireQuantumInfo` allocates memory for `quantum_info`. If the subsequent `SetQuantumFormat` call at line 3515 fails, the function returns via `ThrowWriterException` without freeing `quantum_info`, causing a leak [ref_id=1].
What the fix does
The issue report identifies that `quantum_info` is allocated at line 3506 but not freed before the `ThrowWriterException` at line 3515 [ref_id=1]. The fix should free `quantum_info` (e.g., via `DestroyQuantumInfo`) before returning on the error path. No patch is included in the bundle; the advisory simply documents the leak location and the missing deallocation.
Preconditions
- inputAttacker must supply a TIFF image that meets the conditions for SetQuantumFormat to be called (storage_class != PseudoClass, depth >= 32, UndefinedQuantumFormat, IsHighDynamicRangeImage true).
- inputThe SetQuantumFormat call must fail (e.g., due to resource limits or invalid format).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- usn.ubuntu.com/3681-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/ImageMagick/ImageMagick/issues/1053mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.