VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 5, 2019· Updated Aug 4, 2024

CVE-2019-13309

CVE-2019-13309

Description

ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory due to missing image destruction when handling NoSuchImage errors in CLIListOperatorImages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory due to missing image destruction when handling NoSuchImage errors in CLIListOperatorImages.

Vulnerability

In ImageMagick 7.0.8-50 Q16, the function CLIListOperatorImages in MagickWand/operation.c does not properly release image objects when a NoSuchImage error is encountered. Under specific command-line sequences, such as magick -seed 0 -quality 3 "(" magick:logo +repage ")" "(" magick:wizard +repage ")" -quiet -caption "%h%U" -compare -insert 2 tmp, the code path fails to call DestroyImage on allocated image structures before returning, leading to memory leaks via AcquireMagickMemory in MagickCore/memory.c [1][2]. The leaks are present in both the version 7 branch (ImageMagick 7.0.8-50) and in ImageMagick 6 as confirmed by a similar commit [3].

Exploitation

An attacker who can supply a crafted command line to the magick CLI tool (e.g., via a web application that passes user-controlled options or filenames) can trigger the memory leak. No authentication is required if the tool is accessible. The attacker does not need special privileges beyond the ability to run the magick command with the specific arguments that trigger the NoSuchImage error path. The steps are as described: the -insert option causes CLIListOperatorImages to call GetImageFromList with an invalid index, producing a NoSuchImage error without releasing the previous insert_image, reconstruct_image, or p objects [1][2].

Impact

Repeatedly triggering the vulnerable command can cause a denial-of-service (DoS) condition by exhausting system memory. The leak is confirmed by AddressSanitizer output showing a direct leak of 13,504 bytes and an indirect leak of 6,553,600 bytes per invocation [1]. There is no evidence of code execution or information disclosure; the impact is strictly memory exhaustion leading to degraded performance or application crash.

Mitigation

The fix was committed to the ImageMagick repository on 2019-06-29 in commit 5f21230 [2] for version 7, and commit 5982632 [3] for ImageMagick 6. The patch adds DestroyImage calls for reconstruct_image, image, insert_image, and p in the error-handling branches of MogrifyImageList and CLIListOperatorImages. Users should upgrade to ImageMagick 7.0.8-51 or later, or apply the commits to their source builds. No workaround other than avoiding the specific command patterns is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. memory leaks is detected at AcquireMagickMemory
  2. https://github.com/ImageMagick/ImageMagick/issues/1616 · ImageMagick/ImageMagick@5f21230
  3. https://github.com/ImageMagick/ImageMagick/issues/1616 · ImageMagick/ImageMagick6@5982632

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing resource deallocation in CLIListOperatorImages when a NoSuchImage error occurs during CompareImages."

Attack vector

An attacker triggers the bug by supplying a crafted command-line invocation to ImageMagick's `magick` utility. The reproducer uses `magick -seed 0 -quality 3 "(" magick:logo +repage ")" "(" magick:wizard +repage ")" -quiet -caption "%h%U" -compare -insert 2 tmp` [ref_id=1]. When `CLIListOperatorImages` processes the `-compare` operator and encounters a `NoSuchImage` error, it fails to release memory allocated during image cloning and comparison operations, causing cumulative memory leaks [ref_id=1].

Affected code

The memory leak originates in `CLIListOperatorImages` in `MagickWand/operation.c` at line 3880, which calls `CompareImages` without properly freeing allocated resources when a `NoSuchImage` error occurs. The allocations traced in the ASAN log show leaks through `AcquireMagickMemory` in `MagickCore/memory.c:478`, `CloneImage` in `MagickCore/image.c`, and `ExtentImage` in `MagickCore/transform.c` [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] reports the issue as a memory leak in ImageMagick 7.0.8-50 Q16 but does not provide a fix commit or remediation guidance. Based on the ASAN trace, a proper fix would need to ensure that `CLIListOperatorImages` in `MagickWand/operation.c` releases all allocated image resources (via `DestroyImage` or similar) on the error path when `CompareImages` fails due to a `NoSuchImage` condition.

Preconditions

  • inputAttacker must be able to supply a command-line invocation to the ImageMagick magick utility
  • inputThe command must include the -compare operator with image arguments that trigger a NoSuchImage error

Reproduction

Run the following command with ImageMagick 7.0.8-50 Q16 built with AddressSanitizer: `magick -seed 0 -quality 3 "(" magick:logo +repage ")" "(" magick:wizard +repage ")" -quiet -caption "%h%U" -compare -insert 2 tmp`. The ASAN output will report direct and indirect memory leaks at `AcquireMagickMemory` in `MagickCore/memory.c:478` and related call chains through `CLIListOperatorImages` in `MagickWand/operation.c:3880` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.