CVE-2019-11470
Description
The cineon parser in ImageMagick 7.0.8-26 Q16 lacks bounds checking, enabling a crafted Cineon file to cause uncontrolled memory allocation and CPU consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The cineon parser in ImageMagick 7.0.8-26 Q16 lacks bounds checking, enabling a crafted Cineon file to cause uncontrolled memory allocation and CPU consumption.
Vulnerability
The cineon parsing component (ReadCINImage in coders/cin.c) of ImageMagick 7.0.8-26 Q16 does not validate that the declared image dimensions (columns * rows) match the actual data available in the file. When a Cineon file contains an image size larger than the file's real blob size, the parser allocates a huge pixel buffer and then loops indefinitely while attempting to fill it, exhausting CPU and memory resources. This is a denial-of-service via uncontrolled resource consumption [1][4].
Exploitation
An attacker needs only to craft a Cineon image with an incorrect, inflated image size (e.g., a claimed resolution of 262,146 × 458,752 columns × rows) and supply this file to an ImageMagick process (such as convert). No special privileges are required; the attack is triggered simply by converting the file. The vulnerability does not require authentication if the application accepts user-uploaded Cineon files [1].
Impact
Successful exploitation causes the target process to allocate massive amounts of memory and spend excessive CPU time, effectively denying service to legitimate users. No arbitrary code execution or data disclosure is reported; the impact is limited to uncontrolled resource consumption (DoS) [1].
Mitigation
A fix was committed on 18 April 2019 in commit e3cdce6fe12193f235b8c0ae5efe6880a25eb957 [4]. The commit adds a check: if (MagickSizeType) image->columns * image->rows > GetBlobSize(image), the parser throws a CorruptImageError and stops processing [4]. Patched versions are 7.0.8-27 and later. Users of Fedora and other distributions should update to the patched package. No workaround other than upgrading is available [1][4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
187.0.1-0, 7.0.1-1, 7.0.1-10, …+ 1 more
- (no CPE)range: 7.0.1-0, 7.0.1-1, 7.0.1-10, …
- (no CPE)range: <= 7.0.8-26 Q16
- osv-coords16 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.3.1+ 15 more
- (no CPE)range: < 7.0.7.34-lp151.7.3.1
- (no CPE)range: < 7.0.7.34-lp151.7.3.1
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation in ReadCINImage allows a crafted Cineon header to claim an image size far larger than the actual file data, causing uncontrolled resource consumption."
Attack vector
An attacker crafts a Cineon image file whose header declares a very large image size (e.g., 262146×458752 pixels) but whose body contains little or no pixel data [ref_id=1]. When ImageMagick's `convert` (or any tool that calls `ReadCINImage`) processes this file, it allocates resources and begins iterating over the claimed pixel grid, causing excessive CPU consumption as the loop runs for an enormous number of iterations [ref_id=1]. The attacker needs only to supply the malicious file to the victim; no authentication or special network access is required.
Affected code
The vulnerability resides in `ReadCINImage` in `coders/cin.c` [ref_id=1]. The function reads the claimed image dimensions (width and height) from the Cineon file header but does not verify that the file actually contains enough pixel data to match those dimensions [ref_id=1]. This allows a crafted file to specify an extremely large image size (e.g., 0x40002 columns by 0x70000 rows) while containing far less actual data [ref_id=1].
What the fix does
The issue report notes that ImageMagick version 6.9.7-4 already had a safety check that produced the error "width or height exceeds limit" for such files, but version 7.0.8-26 lacked this check [ref_id=1]. The fix should add a validation in `ReadCINImage` that compares the claimed image dimensions against the actual available data in the file, rejecting the image if the claimed size would require more pixel data than the file contains [ref_id=1]. No patch diff is included in the bundle, so the exact committed fix is not shown.
Preconditions
- inputVictim must process a crafted Cineon file using ImageMagick 7.0.8-26 Q16
- authNo authentication or special privileges required
Reproduction
1. Obtain or create a crafted Cineon file (`c.cin`) with a header declaring a large image size (e.g., columns=0x40002, rows=0x70000) but containing insufficient pixel data. 2. Run `convert c.cin /tmp/test.bmp` (or any output format) using ImageMagick 7.0.8-26 Q16. 3. Observe that the process consumes excessive CPU time and does not complete in a reasonable timeframe [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2019-06/msg00057.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4034-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/e3cdce6fe12193f235b8c0ae5efe6880a25eb957mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1472mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/10/msg00028.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/08/msg00030.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.