CVE-2018-5685
Description
In GraphicsMagick 1.3.27, the ReadBMPImage function enters an infinite loop when processing a BMP file with a crafted green_mask value, causing denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In GraphicsMagick 1.3.27, the ReadBMPImage function enters an infinite loop when processing a BMP file with a crafted green_mask value, causing denial of service.
Vulnerability
In GraphicsMagick version 1.3.27, the ReadBMPImage function in coders/bmp.c contains an infinite loop vulnerability. When processing a BMP file with a crafted bit-field mask, specifically a green_mask value of 0xFFFFFFFF, the while loop at line 1110 (while (((bmp_info.green_mask << sample) & 0x80000000U) != 0)) never terminates because the condition remains true, causing sample to increment indefinitely and the application to hang [1].
Exploitation
An attacker can trigger this vulnerability by providing a specially crafted BMP image file with a green_mask set to 0xFFFFFFFF. No authentication or special privileges are required. The attacker simply needs to convince a user or system to process the malicious image (e.g., via gm convert). The provided proof-of-concept file causes GraphicsMagick to enter an infinite loop, resulting in a denial of service [1].
Impact
Successful exploitation leads to a denial of service, as the application becomes unresponsive and consumes resources (e.g., CPU time) indefinitely. The impact is limited to availability; confidentiality and integrity are not affected. The hang persists until the process is terminated externally.
Mitigation
As of the publication date, no patch has been released for this vulnerability in GraphicsMagick 1.3.27. Users are advised to avoid processing untrusted BMP files, consider using alternative image processing tools, or apply workarounds such as input validation to reject files with suspicious bit-field mask values. Monitoring for future updates from the GraphicsMagick project is recommended [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17- Range: =1.3.27
- osv-coords16 versionspkg:rpm/suse/GraphicsMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 1.2.5-4.78.33.1+ 15 more
- (no CPE)range: < 1.2.5-4.78.33.1
- (no CPE)range: < 1.2.5-4.78.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.4.3.6-7.78.29.2
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.4.3.6-7.78.29.2
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.4.3.6-7.78.29.2
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
- (no CPE)range: < 6.8.8.1-71.33.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An infinite loop occurs in the ReadBMPImage function due to a manipulated bit-field mask value in a crafted BMP file."
Attack vector
Remote attackers can trigger an infinite loop and application hang by providing a crafted BMP image file to the GraphicsMagick `convert` command. The vulnerability lies within the `ReadBMPImage` function, where a specific value, `bmp_info.green_mask`, can be manipulated. When this value is set to `0xFFFFFFFF`, it causes a condition in a `while` loop to always be true, leading to an endless increment of the `sample` variable and thus a denial of service [ref_id=1].
Affected code
The vulnerability exists in the `ReadBMPImage` function located in the `coders/bmp.c` file. Specifically, the issue arises within a `while` loop (line 1110) where the `bmp_info.green_mask` value is checked. The loop continues indefinitely when `bmp_info.green_mask` is set to `0xFFFFFFFF`, causing `sample` to increase without bound [ref_id=1].
What the fix does
The patch addresses the infinite loop by adding a check to ensure that the `sample` variable does not exceed a certain limit within the `while` loop. This prevents the `sample` variable from incrementing indefinitely when `bmp_info.green_mask` is manipulated. By introducing this boundary, the loop will eventually terminate, mitigating the denial of service vulnerability [ref_id=1].
Preconditions
- inputA crafted BMP image file with a manipulated bit-field mask value.
Reproduction
The following command can be used to trigger the vulnerability with a crafted BMP file (POC): `gm convert $POC OUTPUT` [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.debian.org/security/2018/dsa-4321mitrevendor-advisoryx_refsource_DEBIAN
- hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2018/01/msg00018.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2018/08/msg00002.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/graphicsmagick/bugs/541/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.