CVE-2019-13297
Description
ImageMagick 7.0.8-50 Q16 has a heap-buffer-over-read in AdaptiveThresholdImage when a height of zero is not handled, leading to crash or potential info disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has a heap-buffer-over-read in AdaptiveThresholdImage when a height of zero is not handled, leading to crash or potential info disclosure.
Vulnerability
In ImageMagick 7.0.8-50 Q16, the AdaptiveThresholdImage function in MagickCore/threshold.c is vulnerable to a heap-based buffer over-read. The issue occurs because the function checks for a width of zero but neglects to validate whether the height is zero. When an image with a zero height is processed, the code proceeds to read beyond the allocated heap buffer, causing a crash or potential information disclosure. Affected versions include ImageMagick 7.0.8-50 and earlier versions that do not include the fix. The problem was reported in [1] and fixed in commit [3] for version 7 and commit [2] for version 6.
Exploitation
An attacker can trigger the vulnerability by providing a crafted image file that causes the AdaptiveThresholdImage function to be called with a height of zero. The proof-of-concept command from [1] is: `` magick -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" tmp ``
No authentication or special privileges are required; the attacker only needs to convince a user or automated process to process the crafted image with ImageMagick.
Impact
Successful exploitation results in a heap-buffer-over-read, which can lead to a denial of service (crash) or potentially the disclosure of sensitive memory contents. The AddressSanitizer log from [1] shows a READ of size 4 at a wild pointer, indicating that adjacent heap data could be read. The privilege level is that of the process running ImageMagick, which may be a user's application or a server-side image processor.
Mitigation
The vulnerability is fixed in ImageMagick version 7.0.8-51 and later, as well as in ImageMagick 6 with commit [2]. Users should upgrade to a patched version immediately. The fix adds a check for both width and height being zero, returning early if either is zero. No workaround is available if an upgrade is not possible. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- ImageMagick/ImageMagickdescription
- Range: 7.0.8-50
- osv-coords11 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 10 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Mishandling of a height of zero in AdaptiveThresholdImage leads to a heap-based buffer over-read."
Attack vector
An attacker provides a crafted image with a zero height parameter to the `-lat` (local adaptive threshold) operator, e.g. `-lat 514x0-41` [ref_id=1]. When ImageMagick processes this image via the `AdaptiveThresholdImage` function in `MagickCore/threshold.c`, the zero height causes an out-of-bounds read at line 328 [ref_id=1]. The attack is triggered through the command-line interface with no special privileges beyond the ability to invoke ImageMagick on a malicious input [ref_id=1].
Affected code
The heap-buffer-overflow occurs in `AdaptiveThresholdImage` at `MagickCore/threshold.c:328:11` [ref_id=1]. The function is called when the `-lat` (local adaptive threshold) operator is used via the CLI, as shown in the call chain through `CLISimpleOperatorImage` and `CLIOption` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the bug as a heap-buffer-overflow at `MagickCore/threshold.c:328:11` in `AdaptiveThresholdImage` caused by a height of zero being mishandled. A proper fix would need to validate that the height parameter is greater than zero before proceeding with the adaptive threshold computation, preventing the out-of-bounds memory access.
Preconditions
- inputAttacker must supply an image and a `-lat` geometry string with a zero height (e.g., `514x0-41`).
- networkNo network precondition; the attack is local command-line invocation.
Reproduction
Run the following command with a vulnerable ImageMagick 7.0.8-50 build (compiled with ASAN for detection): `magick -seed 0 -dispose Background "(" magick:netscape -lat 514x0-41 ")" "(" magick:granite -charcoal 3 -level 0%,125,0.328 ")" -combine -print "" tmp` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/604588fc35c7585abb7a9e71f69bb82e4389fefcmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1609mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/35c7032723d85eee7318ff6c82f031fa2666b773mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/08/msg00021.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/08/msg00030.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.