CVE-2019-13302
Description
ImageMagick 7.0.8-50 Q16 has a heap-buffer-overread in ComplexImages leading to potential information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has a heap-buffer-overread in ComplexImages leading to potential information disclosure.
Vulnerability
In ImageMagick version 7.0.8-50 Q16, the ComplexImages function in MagickCore/fourier.c has a heap-based buffer over-read at line 305. The issue occurs when processing images using the -complex operator. Affected versions include 7.0.8-50 and possibly earlier. [1]
Exploitation
An attacker can trigger the vulnerability by providing a crafted command line, such as magick -seed 0 -treedepth 71 "(" magick:logo +repage ")" "(" magick:granite -white-threshold 0% -cycle 256 -lat 815 ")" -bordercolor rgb"("101,151,20")" -blue-primary 638,241 -print "0O." -complex multiply tmp. No authentication or special privileges are required, but the attacker needs to invoke ImageMagick with malformed inputs. [1]
Impact
A heap-buffer-overread can lead to reading out-of-bounds memory, potentially exposing sensitive information (CIA: confidentiality). The CVSS score is not provided, but the impact is limited to information disclosure. [1]
Mitigation
The issue was fixed in commit d5089971bd792311aaab5cb73460326d7ef7f32d, which introduces a number_channels variable to limit the loop bounds. Users should upgrade to a patched version. [2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50 Q16
- osv-coords6 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1
< 7.0.7.34-lp151.7.9.1+ 5 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on channel count in ComplexImages loop causes heap-buffer-overflow."
Attack vector
An attacker supplies crafted image arguments to the `magick` command with the `-complex multiply` operator, as shown in the two reproducer commands [ref_id=1]. The bug is triggered when images with differing channel counts are passed to `ComplexImages`, causing the loop at line 305 to read or write beyond the allocated pixel buffer of one of the images [ref_id=2]. No authentication or special privileges are required; the attacker only needs to invoke ImageMagick with the malicious command line.
Affected code
The heap-buffer-overflow occurs in `MagickCore/fourier.c` at line 305 in the `ComplexImages` function [ref_id=1]. The vulnerable loop iterates over `GetPixelChannels(Cr_image)` without ensuring that all source images have the same number of channels, leading to an out-of-bounds read or write [ref_id=2].
What the fix does
The patch introduces a `number_channels` variable computed as the minimum of the channel counts across all six images (`Ar_image`, `Ai_image`, `Br_image`, `Bi_image`, `Cr_image`, `Ci_image`) using `MagickMin` [ref_id=2]. The loop bound is then changed from `GetPixelChannels(Cr_image)` to `number_channels`, ensuring the iteration never exceeds the smallest channel count among the images, thus preventing the heap-buffer-overflow [ref_id=2].
Preconditions
- inputAttacker must provide a command line that invokes the `-complex multiply` operator with crafted image arguments (e.g., using `magick:logo` and `magick:granite` with specific options).
- inputThe images passed to `ComplexImages` must have differing numbers of channels.
Reproduction
Run either of the following commands against ImageMagick 7.0.8-50 Q16 built with AddressSanitizer:
1. `magick -seed 0 -treedepth 71 "(" magick:logo +repage ")" "(" magick:granite -white-threshold 0% -cycle 256 -lat 815 ")" -bordercolor rgb"(101,151,20)" -blue-primary 638,241 -print "0O." -complex multiply tmp`
2. `magick -seed 0 "(" magick:logo +repage ")" "(" magick:logo +repage ")" -render -size 2872 -complex multiply -quiet tmp`
Both trigger a heap-buffer-overflow at `MagickCore/fourier.c:305` in `ComplexImages` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/ImageMagick/ImageMagick/commit/d5089971bd792311aaab5cb73460326d7ef7f32dmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1597mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.