CVE-2019-13306
Description
ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow in WritePNMImage due to off-by-one errors, potentially leading to code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow in WritePNMImage due to off-by-one errors, potentially leading to code execution.
Vulnerability
A stack-based buffer overflow exists in ImageMagick 7.0.8-50 Q16 and possibly earlier versions, located in the WritePNMImage function in coders/pnm.c. The overflow is due to off-by-one errors in bounds checking, specifically in two locations where the condition if ((q-pixels+extent+1) >= sizeof(pixels)) is too conservative, allowing a write of one extra byte beyond the buffer [1][2][3].
Exploitation
An attacker can trigger the vulnerability by providing a crafted image file or command-line arguments that cause ImageMagick to write a PNM image with a specific sequence of operations. The provided proof-of-concept uses magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 tmp [1]. This results in a stack-buffer-overflow as detected by AddressSanitizer. No authentication or special privileges are required beyond the ability to execute ImageMagick commands.
Impact
Successful exploitation of this stack-based buffer overflow could lead to arbitrary code execution or a denial of service. The vulnerability allows an attacker to overwrite stack memory, potentially gaining control of the execution flow. The CVSS v3.1 score is not provided in the references, but the impact is considered high.
Mitigation
The vulnerability was addressed in ImageMagick version 7.0.8-51 by fixing the off-by-one errors, changing the condition to if ((q-pixels+extent+2) >= sizeof(pixels)) [3]. A similar fix was applied to ImageMagick6 [2]. Users should upgrade to the patched version. As a workaround, avoid processing untrusted PNM files until an update is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-50 Q16
- osv-coords7 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1
< 7.0.7.34-lp151.7.9.1+ 6 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.1.0.9-1.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Off-by-one error in bounds check within WritePNMImage allows stack buffer overflow via strncpy."
Attack vector
An attacker can trigger the stack-buffer-overflow by providing a crafted image file to ImageMagick's `WritePNMImage` function. The reproducer uses `magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 tmp` [ref_id=1]. The overflow occurs during PNM encoding when the bounds check `(q-pixels+extent+1) >= sizeof(pixels)` is off by one, allowing a write past the end of the stack buffer [ref_id=2][ref_id=3].
Affected code
The vulnerability is in the `WritePNMImage` function in `coders/pnm.c`. The stack buffer overflow occurs at line 1902 (and a similar location at line 1832) where `strncpy` writes into a stack-allocated buffer without sufficient bounds checking [ref_id=1]. The ASAN report shows the overflow happens on the stack variable `pixels381` (line 1857) [ref_id=1].
What the fix does
The fix changes the bounds check from `(q-pixels+extent+1) >= sizeof(pixels)` to `(q-pixels+extent+2) >= sizeof(pixels)` in two locations within `WritePNMImage` [ref_id=2][ref_id=3]. The original off-by-one error allowed the pointer `q` to advance one byte past the end of the stack buffer before triggering the flush. By adding 2 instead of 1, the check correctly prevents writing beyond the allocated stack space.
Preconditions
- inputAttacker must supply a crafted image that, when written as PNM, causes the internal buffer to overflow
- configThe victim must invoke ImageMagick's WritePNMImage (e.g., via `magick` command or library call)
Reproduction
Run: `magick -seed 0 -dispose Previous -compress None "(" magick:rose +repage ")" "(" magick:logo -level 64,0%,0.874 ")" -loop 5 tmp` [ref_id=1]. This triggers a stack-buffer-overflow in `WritePNMImage` at `coders/pnm.c:1902` as confirmed by AddressSanitizer output [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4715mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/e92040ea6ee2a844ebfd2344174076795a4787bdmitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1612mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/cb5ec7d98195aa74d5ed299b38eff2a68122f3famitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/08/msg00021.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.