CVE-2019-13307

Vulnerability

The vulnerability is a heap-buffer-overflow in AcquirePixelThreadSet within MagickCore/statistic.c. The function allocates memory based on number_threads (from the thread resource limit) but then iterates over rows (the number of images in the list). When the number of images exceeds the thread limit, a write beyond the allocated buffer occurs in EvaluateImages at line 559. Affected versions include ImageMagick 7.0.8-50 Q16 and likely earlier versions with similar code. The issue was reported in GitHub issue #1615 [1].

Exploitation

An attacker can trigger the overflow by providing a crafted command line that processes multiple images, for example using -evaluate-sequence Median with multiple input images. The reproducer from [1] is: magick -seed 0 -monitor -bias 63 "(" magick:rose -colorize 172,35,77 ")" "(" magick:logo +repage ")" -crop 507x10'!'+20-54 -evaluate-sequence Median tmp. No authentication or special privileges are required; the attacker only needs to invoke ImageMagick with a maliciously crafted sequence of images.

Impact

Successful exploitation results in a heap-buffer-overflow, which can cause a crash (denial of service) or potentially allow arbitrary code execution depending on memory layout. The ASAN log in [1] shows a write of size 8 at a location 0 bytes to the right of a 256-byte region. The overflow occurs within the ImageMagick process, which may have access to user data.

Mitigation

The fix was committed in ImageMagick 7 commit 025e77f [3] and ImageMagick6 commit 91e58d9 [2]. The fix changes the allocation to use rows (the maximum of the image list length and the thread resource limit) instead of number_threads. Users should update to a version containing these commits (e.g., ImageMagick 7.0.8-51 or later). No workaround is available; the vulnerability is fixed in the patched versions.