CVE-2019-13299
Description
ImageMagick 7.0.8-50 Q16 suffers a heap-buffer over-read in GetPixelChannel via crafted image processing, leading to potential information disclosure or crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 suffers a heap-buffer over-read in GetPixelChannel via crafted image processing, leading to potential information disclosure or crash.
Vulnerability
A heap-based buffer over-read vulnerability exists in ImageMagick 7.0.8-50 Q16 within the GetPixelChannel function defined in MagickCore/pixel-accessor.h at line 116. The issue occurs when the function accesses image->channel_map[channel].offset without first verifying that the channel's traits are not UndefinedPixelTrait. When processing a crafted command such as magick -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median, an invalid offset can lead to reading beyond the allocated heap buffer. This affects all installations using the specified version [1].
Exploitation
An attacker can trigger this vulnerability by supplying a specially crafted image or command line to ImageMagick. No authentication or special privileges are required beyond the ability to execute the magick command with the malicious input. The proof-of-concept provided in the issue report demonstrates that simply running the command with the given parameters results in a heap-buffer-overflow, as shown by AddressSanitizer output. The attacker must have local access to the system or be able to deliver the crafted input to a service using ImageMagick [1].
Impact
Successful exploitation results in a heap-buffer-over-read, which may cause a denial of service (crash) or lead to information disclosure by exposing sensitive data from adjacent heap memory. The vulnerability is classified as a high-severity issue due to the potential for memory leakage. It does not allow for arbitrary write or code execution based on the available information [1][2].
Mitigation
The issue was fixed in commit 8187d2d8fd010d2d6b1a3a8edd935beec404dddc by adding a proper bounds check: image->channel_map[image->channel_map[channel].offset].traits is now verified before access [2]. Users should upgrade to a version of ImageMagick that includes this fix. As a workaround, avoid processing untrusted images with the affected version until an update can be applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50 Q16
- osv-coords6 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1
< 7.0.7.34-lp151.7.9.1+ 5 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in GetPixelChannel allows reading beyond the allocated pixel cache boundary during EvaluateImages."
Attack vector
An attacker triggers the bug by running a crafted ImageMagick command that processes images with specific geometry and sequence operations. The reproducer command uses `magick -seed 0`, nested `magick:netscape` images with `-monochrome`, `+repage`, `-geometry 433%-80-57`, `-adjoin`, and `-evaluate-sequence Median` [ref_id=1]. This causes a heap-buffer-overflow read of 4 bytes at a location 0 bytes to the right of a 248832-byte pixel cache allocation [ref_id=1]. No authentication or special privileges are required beyond the ability to invoke the `magick` binary with the attacker-controlled arguments.
Affected code
The heap-buffer-overflow occurs in `GetPixelChannel` at `MagickCore/pixel-accessor.h:116:10` [ref_id=1]. The call chain shows the read originates from `EvaluateImages` in `MagickCore/statistic.c:587:33` [ref_id=1]. No patch is provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports the heap-buffer-overflow but does not provide a fix commit or remediation guidance. Based on the ASAN report, the overflow occurs when `GetPixelChannel` reads beyond the allocated pixel cache boundary during `EvaluateImages`, suggesting bounds checking on pixel channel access needs to be added or corrected.
Preconditions
- inputAttacker must be able to invoke the ImageMagick `magick` binary with arbitrary command-line arguments
- inputThe command must include the specific sequence of options: -seed 0, nested magick:netscape images, -monochrome, +repage, -geometry 433%-80-57, -adjoin, -evaluate-sequence Median
Reproduction
Run the following command with a build of ImageMagick 7.0.8-50 Q16 compiled with AddressSanitizer: `magick -seed 0 "(" magick:netscape -monochrome ")" "(" magick:netscape +repage ")" -geometry 433%-80-57 -adjoin -evaluate-sequence Median tmp` [ref_id=1]. The ASAN report confirms a heap-buffer-overflow read of size 4 at `GetPixelChannel` in `pixel-accessor.h:116` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/ImageMagick/ImageMagick/commit/8187d2d8fd010d2d6b1a3a8edd935beec404dddcmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1610mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.