CVE-2019-11006
Description
A heap-based buffer over-read in GraphicsMagick's ReadMIFFImage function allows denial of service or information disclosure via a crafted MIFF file with an RLE packet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer over-read in GraphicsMagick's ReadMIFFImage function allows denial of service or information disclosure via a crafted MIFF file with an RLE packet.
Vulnerability
A heap-based buffer over-read exists in the ReadMIFFImage function of coders/miff.c in GraphicsMagick 1.4 snapshot-20190322 Q8 and earlier versions. The flaw occurs when processing a specially crafted MIFF image file containing an RLE (run-length encoding) packet, which triggers a read beyond the allocated heap buffer boundary. The over-read is located at line 1839 of coders/miff.c, as identified by AddressSanitizer [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious MIFF image file to the GraphicsMagick convert command (e.g., ./utilities/gm convert malicious.miff /dev/null). No special authentication or elevated privileges are required; the user only needs to process the malformed file with GraphicsMagick. The heap-buffer-overread is triggered directly during image decoding without any additional user interaction beyond file opening [1].
Impact
Successful exploitation results in a heap-buffer over-read, which can cause a denial of service (application crash) or potentially lead to information disclosure via out-of-bounds memory reads. The vulnerability does not directly provide remote code execution, but memory corruption could be leveraged in combination with other bugs [1].
Mitigation
As of the publication date (April 8, 2019), no patched version has been released. Users are advised to avoid processing untrusted MIFF images with GraphicsMagick 1.4 snapshot-20190322 or earlier. The vendor may issue a fix in a future release; monitoring the GraphicsMagick bug tracker [1] is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: = 1.4 snapshot-20190322 Q8
- osv-coords2 versionspkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Package%20Hub%2015
< 1.3.29-lp150.3.25.1+ 1 more
- (no CPE)range: < 1.3.29-lp150.3.25.1
- (no CPE)range: < 1.3.29-bp150.2.18.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in the RLE decoding loop of ReadMIFFImage allows reading one byte past the allocated heap buffer."
Attack vector
An attacker supplies a crafted MIFF image file containing a malformed RLE (run-length encoded) packet. When GraphicsMagick's `gm convert` command processes this file, the `ReadMIFFImage` function reads one byte beyond the allocated heap buffer at line 1839 of `coders/miff.c` [ref_id=1]. The over-read can cause a crash (denial of service) or leak heap memory contents (information disclosure). No authentication or special network access is required beyond delivering the malicious file to the converter.
Affected code
The heap-buffer-overread occurs in the function `ReadMIFFImage` in `coders/miff.c` at line 1839. The allocation happens at line 1613 in the same function via `MagickMalloc`.
What the fix does
The advisory does not include a patch. The root cause is that the RLE decoding loop at line 1839 does not validate that the next read position stays within the bounds of the allocated pixel buffer. A proper fix would add a length check before the read at that location, ensuring the offset does not exceed the allocation size obtained at line 1613.
Preconditions
- inputThe attacker must supply a crafted MIFF image file with a malformed RLE packet.
- configThe victim must run GraphicsMagick's `gm convert` (or any code path that calls `ReadMIFFImage`) on the malicious file.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2019-04/msg00093.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00107.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4207-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4640mitrevendor-advisoryx_refsource_DEBIAN
- hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/04/msg00015.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/graphicsmagick/bugs/598/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.