VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 5, 2019· Updated Aug 4, 2024

CVE-2019-13305

CVE-2019-13305

Description

Stack-based buffer overflow in ImageMagick 7.0.8-50 Q16 WritePNMImage due to misplaced strncpy and off-by-one error.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack-based buffer overflow in ImageMagick 7.0.8-50 Q16 WritePNMImage due to misplaced strncpy and off-by-one error.

Vulnerability

In ImageMagick 7.0.8-50 Q16, the WritePNMImage function in coders/pnm.c contains a stack-based buffer overflow. The bug arises from a misplaced strncpy call and an off-by-one error in the bounds check. Specifically, the code copies formatted pixel data into a stack buffer pixels without first verifying that the buffer has enough space, leading to a write beyond the allocated stack memory. The affected version is ImageMagick 7.0.8-50 Q16; the issue also exists in ImageMagick 6 as per the related commit [3].

Exploitation

An attacker can trigger the overflow by providing a crafted image file that, when processed by ImageMagick's magick command with specific options (e.g., -undercolor, -compress None, and certain image compositions), causes the WritePNMImage function to write pixel data beyond the bounds of the pixels stack buffer. The proof-of-concept command from the issue [1] demonstrates the crash. No authentication is required; the attacker only needs to convince a user or service to process the malicious image.

Impact

Successful exploitation results in a stack-based buffer overflow, which can lead to memory corruption. While the immediate effect is a denial of service (crash) as shown by AddressSanitizer, under certain conditions it may be possible to achieve arbitrary code execution, depending on the stack layout and mitigations. The overflow occurs in a stack buffer of size 2048 bytes (from pixels variable), and the write is of size 1 byte beyond the buffer.

Mitigation

The fix was committed in ImageMagick commit [2] and ImageMagick6 commit [3]. The patch moves the strncpy and pointer increment after the bounds check, and corrects the comparison from >= sizeof(pixels) to >= sizeof(pixels) (actually the diff shows changing +2 to +1 in the condition). Users should update to a version containing this fix (e.g., ImageMagick 7.0.8-51 or later). If patching is not possible, avoid processing untrusted PNM images with the affected versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. stack-buffer-overflow at coders/pnm.c:1906 in WritePNMImage
  2. https://github.com/ImageMagick/ImageMagick/issues/1613 · ImageMagick/ImageMagick@29efd64
  3. https://github.com/ImageMagick/ImageMagick/issues/1613 · ImageMagick/ImageMagick6@5c7fbf9

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Misplaced `strncpy` and off-by-one error in bounds check allow stack-buffer overflow in `WritePNMImage`."

Attack vector

An attacker provides a crafted image file that, when processed by ImageMagick's `WritePNMImage`, causes the loop to write formatted pixel data into the stack buffer `pixels381` without checking remaining space beforehand. Because `strncpy` and `q+=extent` execute before the bounds check `(q-pixels+extent+2) >= sizeof(pixels)`, a single iteration can write past the buffer boundary, leading to a stack-based buffer overflow [ref_id=1][ref_id=2]. The reproducer uses `magick` with specific options (`-undercolor`, `-compress None`, `-solarize`, etc.) to trigger the overflow [ref_id=1].

Affected code

The vulnerability is in the `WritePNMImage` function in `coders/pnm.c` (line 1906 in ImageMagick 7.0.8-50). The stack-allocated buffer `pixels381` (line 1857) is overflowed because `strncpy` and the pointer advance (`q+=extent`) occur *before* the bounds check, allowing a write past the buffer's end [ref_id=1].

What the fix does

The patch [ref_id=2][ref_id=3] moves the `strncpy` and `q+=extent` operations *after* the bounds check. The check itself is tightened from `(q-pixels+extent+2) >= sizeof(pixels)` to `(q-pixels+extent+1) >= sizeof(pixels)`, fixing an off-by-one error. This ensures that before any data is written to the stack buffer, the code verifies there is enough remaining space; if not, the buffer is flushed to disk via `WriteBlob` and reset, preventing the overflow.

Preconditions

  • inputAttacker must supply a crafted image that, when written to PNM format, produces pixel data that fills the stack buffer beyond its capacity.
  • configThe victim must run ImageMagick's `magick` command (or any tool that calls `WritePNMImage`) with the crafted image as input.

Reproduction

Run the following command with a vulnerable ImageMagick build (7.0.8-50 Q16) compiled with AddressSanitizer: `magick -seed 0 -undercolor rgb"("67,255,32")" -compress None "(" magick:rose -solarize 1% ")" "(" magick:logo +repage ")" -size 2338x1505+3581 -print "" tmp` [ref_id=1]. ASAN will report a stack-buffer-overflow at `coders/pnm.c:1906` in `WritePNMImage` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.