CVE-2019-13304
Description
A stack-based buffer overflow in ImageMagick's WritePNMImage function can be triggered by processing a crafted image file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in ImageMagick's WritePNMImage function can be triggered by processing a crafted image file.
Vulnerability
A stack-based buffer overflow exists in ImageMagick 7.0.8-50 Q16 in the WritePNMImage function within coders/pnm.c. The bug is caused by a misplaced assignment where the space character (*q++=' ') is written before the buffer size check, instead of after [1][3]. The code path is reachable when processing a malformed image using the PNM format. Affected versions include ImageMagick 7.0.8-50 and likely earlier versions; ImageMagick 6 is also affected and was patched in commit bfa3b9610c83227894c92b0d312ad327fceb6241 [2].
Exploitation
An attacker can trigger the overflow by providing a crafted image file to ImageMagick (e.g., via the magick command). No authentication or special privileges are required; the user or service processing the image simply needs to run the vulnerable WritePNMImage code path. The reproducer uses magick -seed 0 -render "(" magick:rose -sample 846x913^+16+22 -white-threshold 112 ")" -compress None -adjoin tmp to cause the overflow [1].
Impact
Successful exploitation leads to a stack-based buffer overflow, which can cause a crash (denial of service) or potentially allow arbitrary code execution in the context of the ImageMagick process. The AddressSanitizer log confirms a write of size 1 outside the pixels buffer [1].
Mitigation
The vulnerability is fixed in ImageMagick 7.0.8-51 [3] and in ImageMagick 6 via commit bfa3b9610c83227894c92b0d312ad327fceb6241 [2]. Users should upgrade to the latest patched version. No workarounds are provided. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50
- osv-coords6 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1
< 7.0.7.34-lp151.7.9.1+ 5 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A misplaced assignment in WritePNMImage causes a stack-buffer-overflow by writing beyond the bounds of the stack-allocated 'pixels' array."
Attack vector
An attacker can trigger the stack-buffer-overflow by providing a crafted image that, when processed by ImageMagick's `WritePNMImage`, causes a write past the end of the stack-allocated `pixels` array. The reproducer uses `magick -seed 0 -render "(" magick:rose -sample 846x913^+16+22 -white-threshold 112 ")" -compress None -adjoin tmp`, which creates an image of specific dimensions that forces the overflow [ref_id=1]. The attack requires no authentication and can be delivered via any image-processing pipeline that invokes the PNM writer on attacker-controlled input.
Affected code
The vulnerability is in `coders/pnm.c` in the `WritePNMImage` function. The stack-buffer-overflow occurs at line 1762, where a write of size 1 overflows the stack-allocated `pixels` array (declared at line 1736). The root cause is described as "a misplaced assignment" that leads to writing beyond the bounds of the `pixels` buffer [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory identifies the bug as a "misplaced assignment" in `WritePNMImage` at `coders/pnm.c:1762` that causes the `pixels` stack buffer to be overflowed [ref_id=1]. The fix would need to correct the assignment logic so that writes to the `pixels` array stay within its allocated bounds, or alternatively replace the stack buffer with a dynamically allocated one sized to the actual image dimensions.
Preconditions
- inputThe attacker must supply an image that, when processed, causes WritePNMImage to write beyond the bounds of the stack-allocated 'pixels' array.
- configThe victim must invoke ImageMagick's PNM writer (e.g., via 'magick' command or library call) on the crafted image.
Reproduction
Run the following command with a vulnerable ImageMagick 7.0.8-50 build (compiled with ASAN for detection): `magick -seed 0 -render "(" magick:rose -sample 846x913^+16+22 -white-threshold 112 ")" -compress None -adjoin tmp` [ref_id=1]. This will trigger a stack-buffer-overflow at `coders/pnm.c:1762` in `WritePNMImage`.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4715mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/7689875ef64f34141e7292f6945efdf0530b4a5emitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1614mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/bfa3b9610c83227894c92b0d312ad327fceb6241mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/08/msg00021.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.