CVE-2019-11506
Description
Heap-buffer-overflow in GraphicsMagick's WriteMATLABImage when processing crafted .mat files, enabling denial of service or other impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-buffer-overflow in GraphicsMagick's WriteMATLABImage when processing crafted .mat files, enabling denial of service or other impact.
Vulnerability
A heap-based buffer overflow vulnerability exists in GraphicsMagick's WriteMATLABImage function within coders/mat.c. Affected versions range from 1.3.30 up to and including the 1.4 snapshot-20190403 for the Q8 quantum depth. The overflow occurs in ExportRedQuantumType in magick/export.c when writing a MATLAB image file, as a result of insufficient bounds checking during pixel export operations [1].
Exploitation
An attacker can trigger the overflow by providing a specially crafted MAT image file and using the gm convert command to write it to a .mat output file [1]. No authentication or special privileges are required; the attacker only needs to trick the user into processing the malicious file. The proof-of-concept from the bug report demonstrates that the crash reproduces reliably with the command ./gm convert ./heap-buffer-overflow_WriteMATLABImage ./out.mat [1].
Impact
Successful exploitation causes a heap-buffer-overflow write of size 1, leading to a denial of service via process crash. The description notes the possibility of “unspecified other impact,” implying that under certain conditions the overflow may be leveraged for arbitrary code execution, though no such exploit is documented in the available references [1].
Mitigation
As of the publication date (2019-04-24), no patched version has been released; users should restrict processing of untrusted MAT image files or consider using alternative image processing libraries. The vulnerability is disclosed without a fix, and no workaround other than avoiding the affected functionality is provided [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20- Range: >=1.3.30, <=1.4 snapshot-20190403 Q8
- osv-coords19 versionspkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/GraphicsMagick&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 1.3.29-lp150.3.28.1+ 18 more
- (no CPE)range: < 1.3.29-lp150.3.28.1
- (no CPE)range: < 7.0.7.34-lp151.7.3.1
- (no CPE)range: < 7.0.7.34-lp151.7.3.1
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 1.3.29-bp150.2.21.1
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 7.0.7.34-3.61.3
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
- (no CPE)range: < 6.8.8.1-71.123.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient buffer allocation in WriteMATLABImage (coders/mat.c:1429) leads to a 1-byte heap-buffer-overflow when ExportRedQuantumType (magick/export.c:1372) writes pixel data."
Attack vector
An attacker supplies a crafted image file (e.g., via `gm convert ./crafted.mat ./out.mat`) that triggers a heap-buffer-overflow in `WriteMATLABImage` [ref_id=1]. The overflow is a write of size 1 at `ExportRedQuantumType` in `magick/export.c:1372`, which can cause a denial of service (crash) and potentially other unspecified impacts. No authentication or special network access is required beyond delivering the malformed file to the converter.
Affected code
The heap-buffer-overflow occurs in `WriteMATLABImage` in `coders/mat.c` (line 1481) and the underlying write primitive is in `ExportRedQuantumType` at `magick/export.c:1372`. The allocation happens at `coders/mat.c:1429` via `MagickMalloc`, and the overflow is a 1-byte write past the end of that buffer.
What the fix does
The advisory does not include a patch diff. The recommended remediation is to fix the buffer size calculation or bounds checking in `WriteMATLABImage` (`coders/mat.c`) and/or `ExportRedQuantumType` (`magick/export.c`) so that the allocated buffer is large enough to hold the output data, preventing the 1-byte overrun detected by AddressSanitizer [ref_id=1].
Preconditions
- inputThe attacker must provide a crafted image file that, when processed by GraphicsMagick's `WriteMATLABImage`, triggers the heap-buffer-overflow.
- configThe victim must run `gm convert` (or another command that invokes `WriteImage`) on the attacker-supplied file.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2019-05/msg00020.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-05/msg00021.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-05/msg00055.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00057.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4207-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4640mitrevendor-advisoryx_refsource_DEBIAN
- hg.graphicsmagick.org/hg/GraphicsMagick/rev/57ac0ae85e2amitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/05/msg00027.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/graphicsmagick/bugs/604/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.