CVE-2019-13300
Description
ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in EvaluateImages due to mishandling columns when processing images with different widths.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in EvaluateImages due to mishandling columns when processing images with different widths.
Vulnerability
ImageMagick 7.0.8-50 Q16 suffers a heap-based buffer overflow in EvaluateImages within MagickCore/statistic.c. The root cause is in AcquirePixelThreadSet, which allocates pixel thread buffers based on the width of the first image in a list (image->columns) instead of the maximum width across all images. When multiple images with varying column counts are processed (e.g., via -evaluate-sequence Log), a write operation can overflow the allocated buffer. This issue is reported in [1] and affects versions up to 7.0.8-50.
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted ImageMagick command that processes a sequence of images with different widths. The example command from [1] uses magick ... -evaluate-sequence Log with images like magick:rose (302 columns) and magick:granite (different width). No authentication is required if the attacker can execute the command locally or via a service that processes user-supplied images.
Impact
Successful exploitation results in a heap-based buffer overflow, leading to memory corruption. This can potentially be leveraged for arbitrary code execution or denial of service, depending on the heap layout and the attacker's control over the overflow data. The vulnerability is rated with a CVSS score of 8.8 (High), indicating high impact on confidentiality, integrity, and availability.
Mitigation
The vulnerability is fixed in ImageMagick commits [2] (ImageMagick6) and [3] (ImageMagick), which modify AcquirePixelThreadSet to compute the maximum column width across all images before allocating buffers. Users should update to a version including these changes or apply the patches. As of the publication date, no known workarounds exist other than avoiding the use of the -evaluate-sequence operator with images of varying widths.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- ImageMagick/ImageMagickdescription
- Range: <=7.0.8-50
- osv-coords11 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 10 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Mishandling of columns in AcquirePixelThreadSet: the allocation uses only the first image's column count, but subsequent images may have larger widths, leading to a heap-buffer-overflow in EvaluateImages."
Attack vector
An attacker supplies a crafted command line that passes multiple images with differing dimensions to the `-evaluate-sequence Log` operator. The `AcquirePixelThreadSet` function allocates memory based on the first image's column count, but the subsequent `EvaluateImages` loop iterates over the actual (larger) column count of a later image, writing past the allocated buffer [ref_id=1]. The proof-of-concept command uses `magick:rose` (small) and `magick:granite` (larger) with `-evaluate-sequence Log` to trigger the overflow [ref_id=1]. No authentication or special privileges are required; the attacker only needs to invoke the `magick` binary with the crafted arguments.
Affected code
The vulnerability resides in `MagickCore/statistic.c` within the `AcquirePixelThreadSet` function. The function allocates a pixel thread set based solely on `image->columns` (the first image's width), but when processing a list of images (e.g., via `-evaluate-sequence`), subsequent images may have larger column counts. This mismatch causes a heap-buffer-overflow at `statistic.c:654:41` inside the `EvaluateImages` function when writing pixel data beyond the allocated buffer [ref_id=1].
What the fix does
The patch modifies `AcquirePixelThreadSet` to iterate over the entire image list and compute the maximum column count across all images using `MagickMax(next->columns, columns)` [ref_id=2][ref_id=3]. The allocation call is then changed from `AcquireQuantumMemory(image->columns, ...)` to `AcquireQuantumMemory(columns, ...)`, ensuring the buffer is sized for the widest image in the list. The same fix is applied to both the ImageMagick 6 and ImageMagick 7 codebases [ref_id=2][ref_id=3].
Preconditions
- inputThe attacker must invoke the magick binary with multiple input images of differing widths and the -evaluate-sequence operator.
- authNo authentication or special privileges are required.
Reproduction
Run the following command with a build compiled with AddressSanitizer: `magick "-black-point-compensation" "-interlace" "none" "(" "magick:rose" "-density" "302x531" ")" "(" "magick:granite" "+repage" ")" "-antialias" "-evaluate-sequence" "Log" ""` [ref_id=1]. This triggers a heap-buffer-overflow at `MagickCore/statistic.c:654:41` as confirmed by the ASAN report [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4715mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/a906fe9298bf89e01d5272023db687935068849amitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1586mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/5e409ae7a389cdf2ed17469303be3f3f21cec450mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.