CVE-2019-13303
Description
ImageMagick 7.0.8-50 Q16 has a heap-buffer-over-read in CompositeImage due to using the wrong image's channel count in a loop, causing out-of-bounds read.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has a heap-buffer-over-read in CompositeImage due to using the wrong image's channel count in a loop, causing out-of-bounds read.
Vulnerability
In ImageMagick 7.0.8-50 Q16, a heap-based buffer over-read exists in the CompositeImage function in MagickCore/composite.c at line 666. The bug occurs because the loop that copies pixel channels iterates based on GetPixelChannels(image) (the destination image) instead of GetPixelChannels(source_image) (the source image). If the source image has fewer channels than the destination, the loop reads beyond the source pixel's allocated memory, causing a heap-buffer-overread [1]. The issue was introduced prior to the fix commit [2]. The vulnerable code path is reachable via magick command-line operations that involve compositing or layer comparisons, such as -layers compare-overlay or -layers compare-any [1].
Exploitation
An attacker can trigger the heap-buffer-overread by crafting a sequence of ImageMagick operations that cause CompositeImage to be called with a source image that has fewer channels than the destination image. The provided reproducer uses magick with -layers compare-overlay and -layers compare-any commands, combined with options like -region, -evaluate-sequence, and -extract, to create images with mismatched channel counts [1]. No authentication or special privileges are required if the attacker can supply the command line or a crafted image file to a victim processing untrusted input. The over-read occurs during normal processing; no race window is needed.
Impact
A successful heap-buffer-overread can lead to information disclosure (reading beyond the allocated buffer) or potentially a crash (denial of service). The ASAN report indicates a read of size 4 at a heap address, which could expose adjacent memory contents [1]. In more severe scenarios, depending on the memory layout, an attacker might exploit the over-read to craft a more serious vulnerability, though the primary impact is information disclosure or crash.
Mitigation
The fix was committed in ImageMagick commit d29148fae06c01ef215940e084cf41853c117bab, which changes the loop in CompositeImage to iterate using GetPixelChannels(source_image) instead of GetPixelChannels(image) [2]. Users should upgrade to ImageMagick version 7.0.8-51 or later, which includes this patch. As a workaround, avoid processing untrusted image files or command lines that use the affected layer comparison operations. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50 Q16
- osv-coords6 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1
< 7.0.7.34-lp151.7.9.1+ 5 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Loop bound mismatch in CompositeImage: iterating over destination image channels while reading from source image pixel pointer causes heap-buffer-over-read."
Attack vector
An attacker provides a crafted command line that triggers `CompositeImage` via the `-layers compare-overlay` or `-layers compare-any` option, causing ImageMagick to composite images with mismatched channel counts [ref_id=1]. The bug is reached through `CompareImagesLayers` in `MagickCore/layer.c:792`, which calls `CompositeImage` with a `source_image` that has fewer channels than the destination `image` [ref_id=1]. The attacker does not need authentication or special privileges; they only need to supply a malicious image or command-line arguments that cause the channel mismatch [ref_id=1].
Affected code
The heap-buffer-overflow occurs in `MagickCore/composite.c` at line 666 in the `CompositeImage` function [ref_id=1]. The loop iterates over channels using `GetPixelChannels(image)` but then accesses `p[i]` where `p` is advanced by `GetPixelChannels(source_image)`, causing an out-of-bounds read when the two images have different channel counts [ref_id=1][ref_id=2].
What the fix does
The patch [ref_id=2] changes the loop bound from `GetPixelChannels(image)` to `GetPixelChannels(source_image)`, ensuring the iteration matches the number of channels in the source pixel pointer `p`. It also swaps the order of the `traits` and `source_traits` checks so that `source_traits == UndefinedPixelTrait` is skipped first, and only then checks `traits != UndefinedPixelTrait` before writing. This prevents reading beyond the allocated buffer of the source image pixels and avoids writing uninitialized channel data.
Preconditions
- inputThe attacker must supply a command line that causes ImageMagick to composite images with mismatched channel counts (e.g., via -layers compare-overlay or -layers compare-any).
- authNo authentication or special privileges are required; the bug is triggered by processing a crafted image or command-line arguments.
Reproduction
Run the following commands as provided in the issue [ref_id=1]:
``` magick -seed 0 -sampling-factor 3.307x3.198 "(" magick:granite +repage ")" "(" magick:rose +repage ")" "(" magick:rose +repage ")" -encoding AdobeStandard -extract 285x52^-70-70 -region 75x310-64-51 -evaluate-sequence Min -layers compare-overlay tmp ```
``` magick -seed 0 "(" magick:logo -region 306%-74-69 -lat 886 ")" "(" magick:netscape -level 64 ")" "(" magick:granite -opaque rgb"("12,57,57")" -modulate 94,59,3 -frame 4%-82+23 ")" -comment "B>%C%o" -style Any -layers compare-any tmp ```
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/ImageMagick/ImageMagick/commit/d29148fae06c01ef215940e084cf41853c117babmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1603mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.