CVE-2018-12600
Description
ImageMagick 7.0.8-3 Q16 has an out-of-bounds write in coders/dib.c via a crafted DIB file, allowing denial of service or possible code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-3 Q16 has an out-of-bounds write in coders/dib.c via a crafted DIB file, allowing denial of service or possible code execution.
Vulnerability
In ImageMagick version 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c contain an out-of-bounds write vulnerability. Specifically, dib_info.image_size can be smaller than the bytes per line multiplied by the row index, causing a write beyond allocated memory when processing a crafted DIB file [1].
Exploitation
An attacker needs only to provide a specially crafted DIB image file. If a user or automated system using ImageMagick opens the file (e.g., via convert), the vulnerable code path is reached without requiring any special privileges or network position [1, 2].
Impact
Successful exploitation can lead to a denial of service (crash) or, potentially, arbitrary code execution with the privileges of the user running ImageMagick [2]. The out-of-bounds write can corrupt memory and may be leveraged for privilege escalation depending on the context.
Mitigation
A fix is available in ImageMagick updates; Ubuntu published USN-3711-1 on 2018-06-20, updating packages in trusty, xenial, bionic, and artful [2]. Users should upgrade to the patched version of ImageMagick (7.0.8-3 or later, depending on distribution). As of the advisory date, no workaround is provided beyond applying the update.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- Range: = 7.0.8-3 Q16
- osv-coords10 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 6.8.8.1-71.82.1+ 9 more
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 7.0.7.34-3.9.1
- (no CPE)range: < 7.0.7.34-3.9.1
- (no CPE)range: < 6.4.3.6-78.56.1
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 6.4.3.6-78.56.1
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 6.4.3.6-78.56.1
- (no CPE)range: < 6.8.8.1-71.82.1
- (no CPE)range: < 6.8.8.1-71.82.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation on the pixel offset calculation in WriteDIBImage allows an out-of-bounds write when attacker-controlled dimensions produce an offset larger than the allocated buffer."
Attack vector
An attacker supplies a crafted DIB file whose metadata fields cause `dib_info.image_size` to be small (e.g., 433805204) while `(image->rows-y-1)*bytes_per_line` is much larger (e.g., 4728576000) [ref_id=1]. When `WriteDIBImage` processes this file, the computed offset exceeds the allocated buffer, leading to an out-of-bounds write at line 1304 [ref_id=1]. The attack requires no special privileges—only the ability to feed the crafted file to ImageMagick's `convert` command [ref_id=1].
Affected code
The vulnerability resides in `coders/dib.c` in the `WriteDIBImage` function. At line 1301, the pointer offset `q = pixels + (image->rows-y-1)*bytes_per_line` is computed using attacker-controlled dimensions, and at line 1304 the write `*q++ = ScaleQuantumToChar(GetPixelBlue(image,p))` occurs without bounds checking against the allocated `dib_info.image_size` buffer [ref_id=1]. The `ReadDIBImage` function is also cited as affected [ref_id=1].
What the fix does
The issue report does not include a patch; it identifies the root cause as a missing bounds check on the computed offset `(image->rows-y-1)*bytes_per_line` relative to `dib_info.image_size` [ref_id=1]. The advisory recommends validating that the calculated offset does not exceed the allocated buffer size before performing the write [ref_id=1]. No official fix is shown in the provided bundle.
Preconditions
- inputAttacker must supply a crafted DIB file with manipulated image dimensions that cause the computed offset to exceed the allocated buffer size.
- configThe victim must invoke ImageMagick's convert (or similar) on the crafted file.
Reproduction
Use the provided PoC file (poc.zip) with ImageMagick 7.0.8-3 Q16: run `./magick convert ./poc output.dib`. The tool will crash with an AddressSanitizer SEGV at `coders/dib.c:1304` due to an out-of-bounds write [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- usn.ubuntu.com/3711-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4245mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/issues/1178mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2018/06/msg00004.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.