CVE-2019-13308
Description
ImageMagick 7.0.8-50 Q16 has a heap-buffer overflow in ComplexImage() due to incorrect loop bounds, allowing potential denial of service or memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.8-50 Q16 has a heap-buffer overflow in ComplexImage() due to incorrect loop bounds, allowing potential denial of service or memory corruption.
Vulnerability
A heap-buffer overflow vulnerability exists in ImageMagick 7.0.8-50 Q16 within the ComplexImages() function in MagickCore/fourier.c. The bug arises from incorrect loop bounds and pixel-view dimensions: the original code used images->rows, images->columns, and MagickMax() on various input image dimensions, while the fix uses the correct 'result' image (Cr_image) rows and columns. This mismatch allows a write beyond the allocated heap buffer when processing crafted complex image operations [1][2][3].
Exploitation
An attacker can trigger the overflow by invoking ImageMagick's -complex operator with specially crafted input images. The provided proof-of-concept commands use magick with options like -mattecolor, -debug Configure, -crop, and -complex magnitude-phase to construct image sequences that cause the out-of-bounds write. No authentication or special privileges are required; the attacker only needs to supply the malicious command or a crafted image file for processing [2].
Impact
Successful exploitation results in heap-based buffer overflow, which can cause a denial of service (application crash) as shown by the AddressSanitizer report. In more severe cases, it may lead to memory corruption that could be leveraged for arbitrary code execution, though the available references focus on the crash aspect. The impact is limited to the ImageMagick process context [2].
Mitigation
The vulnerability was patched in ImageMagick version 7.0.8-51 and also in ImageMagick 6 (commit 19651f3). Users should upgrade to a fixed version at or above 7.0.8-51. For systems where immediate upgrade is not possible, avoid processing untrusted images with the -complex operator or disable the complex image operator if feasible [1][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- ImageMagick/ImageMagickdescription
- Range: =7.0.8-50
- osv-coords11 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 10 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ComplexImages function used images->rows and images->columns (the input image dimensions) to control loop bounds and pixel-buffer reads, but the output image (Cr_image) may have different dimensions, causing out-of-bounds reads/writes when the input image is larger than the output image."
Attack vector
An attacker supplies crafted image files (e.g., via the `-complex` command-line operator) where the input images have dimensions that differ from the output image dimensions allocated by ComplexImages. The bug is triggered by running ImageMagick's `-complex` operation with mismatched image sizes, as demonstrated by the reproducer commands using built-in images like `magick:netscape` and `magick:wizard` with various resize and filter options [ref_id=2]. The heap-buffer-overflow occurs at MagickCore/fourier.c:299:18 in the ComplexImages function [ref_id=2].
Affected code
The vulnerability resides in `MagickCore/fourier.c` in the `ComplexImages` function [ref_id=2]. The loop bounds for `y` and `x` iterations, as well as the width arguments to `GetCacheViewVirtualPixels`, used `images->rows` and `images->columns` (the input image dimensions) instead of `Cr_image->rows` and `Cr_image->columns` (the output image dimensions) [ref_id=1][ref_id=3].
What the fix does
The patch [ref_id=1][ref_id=3] replaces all references to `images->rows`, `images->columns`, and `GetPixelChannels(images)` with the corresponding properties of `Cr_image` (the output image). It also changes the width argument in `GetCacheViewVirtualPixels` calls from `MagickMax(Ar_image->columns,Cr_image->columns)` to simply `Cr_image->columns`, ensuring pixel reads stay within the bounds of the output buffer. Additionally, the patch adds explicit `(double)` casts to arithmetic operations to prevent potential integer overflow [ref_id=1][ref_id=3].
Preconditions
- inputAttacker must supply input images with dimensions that differ from the output image dimensions allocated by ComplexImages
- configThe -complex command-line operator must be invoked (e.g., -complex magnitude-phase)
Reproduction
Run the following commands as provided in the issue report [ref_id=2]:
``` magick -seed 0 -mattecolor rgb"(225,230,14)" -debug Configure "( magick:wizard +repage )" "( magick:netscape +repage )" -fuzz 82 -caption "j$Y%Be" -blue-primary 727,475 -crop 405%-43-16 -crop 832x886>+11-13 -complex magnitude-phase tmp ```
or
``` magick -seed 0 "( magick:netscape +repage )" "( magick:wizard -resample 24x44 -resample 47x83 )" "( magick:netscape -charcoal 4 -random-threshold 42x71 -shade 81x21 )" -complex magnitude-phase tmp112 ```
These commands trigger a heap-buffer-overflow at `MagickCore/fourier.c:299:18` in `ComplexImages` [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4192-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/commit/61135001a625364e29bdce83832f043eebde7b5amitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/1595mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/09/msg00007.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.