CVE-2019-13298
Description
An heap-buffer overflow exists in ImageMagick 7.0.8-50 Q16's SetPixelViaPixelInfo when processing enhanced images.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An heap-buffer overflow exists in ImageMagick 7.0.8-50 Q16's SetPixelViaPixelInfo when processing enhanced images.
Vulnerability
A heap-based buffer overflow exists in ImageMagick version 7.0.8-50 Q16, located in the function SetPixelViaPixelInfo at MagickCore/pixel-accessor.h:804. The error originates from MagickCore/enhance.c in EnhanceImage, where a call to SetPixelViaPixelInfo passes the wrong image pointer (image instead of enhance_image). This leads to writing beyond the allocated pixel region of the output image, causing a heap-buffer-overflow. The issue is triggered when using the -enhance operation, as shown in the reproduction command in [1].
Exploitation
An attacker can trigger the vulnerability by providing a crafted image and invoking the -enhance operation via the command line. The reproduction command uses magick -seed 0 '(' magick:netscape -random-threshold 66x4 -resize 72%+20-45 ')' '(' magick:netscape -shear 40 -enhance ')' tmp. This causes EnhanceImage to call SetPixelViaPixelInfo with the wrong image parameter, leading to memory corruption. No special privileges are required beyond the ability to execute ImageMagick on a malicious input. The issue is local, but could be exploited remotely if ImageMagick is used in a service processing user-uploaded images.
Impact
Successful exploitation results in a heap-buffer-overflow, allowing an attacker to corrupt memory. This can lead to arbitrary code execution (RCE) or denial of service (crash). The write is of a Quantum value (4 bytes) at a computed offset, potentially corrupting adjacent image data or other heap structures. The impact is high confidentiality, integrity, and availability impact due to the potential for RCE.
Mitigation
The issue was fixed in commit d4fc44b58a14f76b1ac997517d742ee12c9dc5d3 [2]. The fix changes the SetPixelViaPixelInfo call to use the correct enhance_image pointer, and also corrects an off-by-one error in GetPixelChannel by adjusting the channel_map indexing. Users should update to a version of ImageMagick containing this commit (e.g., 7.0.8-51 or later). No workaround is available other than avoiding the -enhance operation. This CVE is not listed in the known exploited vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50 Q16
- osv-coords6 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1
< 7.0.7.34-lp151.7.9.1+ 5 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"In `EnhanceImage`, `SetPixelViaPixelInfo` is called with the source `image` pointer instead of the destination `enhance_image` pointer, causing a heap-buffer-overflow when writing pixel data."
Attack vector
An attacker triggers the bug by running ImageMagick with a crafted command line that includes the `-enhance` operator on specially constructed input images. The reproducer uses `magick -seed 0 "(" magick:netscape -random-threshold 66x4 -resize 72%+20-45 ")" "(" magick:netscape -shear 40 -enhance ")" tmp` [ref_id=1]. The `EnhanceImage` function writes pixel data using `SetPixelViaPixelInfo` with the wrong image pointer (`image` instead of `enhance_image`), causing a write past the allocated heap buffer for the enhanced image [ref_id=2].
Affected code
The heap-buffer-overflow occurs at `MagickCore/pixel-accessor.h:804:56` in `SetPixelViaPixelInfo`, called from `MagickCore/enhance.c:1976` in the `EnhanceImage` function [ref_id=1]. The patch modifies line 1976 of `MagickCore/enhance.c` and line 114 of `MagickCore/pixel-accessor.h` [ref_id=2].
What the fix does
The patch fixes two distinct bugs. First, in `MagickCore/enhance.c:1976`, the call `SetPixelViaPixelInfo(image,&pixel,q)` is corrected to `SetPixelViaPixelInfo(enhance_image,&pixel,q)` — the original code passed the source `image` instead of the destination `enhance_image`, causing pixel data to be written into the wrong image's pixel cache and overflowing the buffer [ref_id=2]. Second, in `MagickCore/pixel-accessor.h:114`, the channel lookup `image->channel_map[image->channel_map[channel].offset].traits` is corrected to `image->channel_map[channel].traits`, fixing an out-of-bounds array access when `channel` is used as an index into `channel_map` [ref_id=2].
Preconditions
- inputAttacker must provide input that triggers the -enhance operator (e.g., via command-line invocation)
- inputThe -enhance operator must be applied to an image whose dimensions cause the destination pixel cache to be smaller than the source
Reproduction
Run the following command with a build of ImageMagick 7.0.8-50 Q16 compiled with AddressSanitizer: `magick -seed 0 "(" magick:netscape -random-threshold 66x4 -resize 72%+20-45 ")" "(" magick:netscape -shear 40 -enhance ")" tmp` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/ImageMagick/ImageMagick/commit/d4fc44b58a14f76b1ac997517d742ee12c9dc5d3mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1611mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.