CVE-2018-12599
Description
In ImageMagick 7.0.8-3, a crafted BMP file causes an out-of-bounds write in ReadBMPImage/WriteBMPImage, enabling denial of service or potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In ImageMagick 7.0.8-3, a crafted BMP file causes an out-of-bounds write in ReadBMPImage/WriteBMPImage, enabling denial of service or potential code execution.
Vulnerability
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c contain an out-of-bounds write vulnerability [1]. When processing a crafted BMP file, the calculation (image->rows-y-1)*bytes_per_line can exceed bmp_info.image_size, leading to a write beyond the allocated pixel buffer. This affects versions 7.0.8-3 and possibly earlier builds.
Exploitation
An attacker can craft a malicious BMP file with manipulated dimensions (e.g., rows and bytes_per_line) to trigger the miscalculation. The victim must open the file using an affected version of ImageMagick, for example via the convert command or an automated image processing pipeline. No privileged access is required; user interaction is limited to opening the file.
Impact
Successful exploitation causes a heap-based buffer overflow, resulting in memory corruption. This can lead to a denial of service (application crash) or, in some cases, arbitrary code execution with the privileges of the user running ImageMagick [2].
Mitigation
The issue was addressed in a subsequent upstream release; the fix was included in ImageMagick 7.0.8-4 or later. Users should update to the latest version from the official website or their distribution. For Ubuntu systems, the patched packages are available via USN-3711-1 [2]. If updating is not immediately possible, avoid processing untrusted BMP files as a workaround.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- Range: = 7.0.8-3 Q16
- osv-coords10 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 6.8.8.1-71.82.1+ 9 more
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 7.0.7.34-3.9.1
- (no CPE)range: < 7.0.7.34-3.9.1
- (no CPE)range: < 6.4.3.6-78.56.1
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 6.4.3.6-78.56.1
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 6.4.3.6-78.56.1
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 6.8.8.1-71.82.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation in WriteBMPImage allows an out-of-bounds write when (image->rows-y-1)*bytes_per_line exceeds the allocated buffer size."
Attack vector
An attacker crafts a BMP file with dimensions such that `(image->rows-y-1)*bytes_per_line` exceeds the allocated `bmp_info.image_size` [ref_id=1]. When ImageMagick processes this file (e.g., via `convert ./poc output.bmp`), `WriteBMPImage` writes pixel data beyond the bounds of the `pixels` buffer [ref_id=1]. No special authentication or network position is required; the attacker only needs to supply the malicious file to the ImageMagick conversion pipeline.
Affected code
The vulnerability resides in `WriteBMPImage` in `coders/bmp.c` [ref_id=1]. At line 2058, the pointer `q` is computed as `pixels+(image->rows-y-1)*bytes_per_line`, and at line 2061 a write occurs via `*q++=ScaleQuantumToChar(GetPixelBlue(image,p))` [ref_id=1]. The buffer `pixels` is allocated with size `bmp_info.image_size` (line 1845-1846), but the offset `(image->rows-y-1)*bytes_per_line` can be much larger than that allocation, leading to an out-of-bounds write [ref_id=1].
What the fix does
The issue report [ref_id=1] does not include a patch. The advisory recommends addressing the missing bounds check in `WriteBMPImage` so that the computed offset `(image->rows-y-1)*bytes_per_line` is validated against `bmp_info.image_size` before writing pixel data [ref_id=1]. Without such a check, an attacker can trigger an out-of-bounds write by supplying a crafted BMP file.
Preconditions
- inputThe attacker must supply a crafted BMP file where the computed offset (image->rows-y-1)*bytes_per_line exceeds bmp_info.image_size.
- configImageMagick must be invoked to process the crafted BMP file (e.g., via the convert command).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- usn.ubuntu.com/3711-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4245mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/issues/1177mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2018/06/msg00004.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.