VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 7, 2019· Updated Aug 4, 2024

CVE-2019-13391

CVE-2019-13391

Description

ImageMagick 7.0.8-50 Q16 has a heap buffer over-read in ComplexImages due to incorrect pixel view width calculation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick 7.0.8-50 Q16 has a heap buffer over-read in ComplexImages due to incorrect pixel view width calculation.

Vulnerability

In ImageMagick 7.0.8-50 Q16, the ComplexImages function in MagickCore/fourier.c suffers from a heap-based buffer over-read. The bug occurs when GetCacheViewVirtualPixels is called with the width of only the current image (Ar_image->columns, Ai_image->columns, etc.) instead of the maximum width among the images involved, leading to reading beyond the allocated buffer when the input images have different dimensions [1][2].

Exploitation

An attacker can trigger this vulnerability by crafting a command that invokes the -complex operator with images of unequal column counts. The provided reproducer uses multiple magick: built-in images and parameters such as -complex subtract to force the vulnerable code path. The command must be run several times to reliably produce the heap-buffer-overflow, as the exact timing of the race condition may vary [1]. No special privileges are required; the attacker only needs to supply a malicious command line.

Impact

A successful exploitation results in a heap-based buffer over-read, which can cause a denial of service (crash) and potentially leak sensitive data from adjacent memory. The over-read is detected by AddressSanitizer as a READ of size 4 at an address immediately after a 896-byte region [1]. Because the attacker controls the command-line arguments, repeated exploitation could yield information disclosure beyond the intended pixel data.

Mitigation

ImageMagick upstream fixed this issue in commit 7c2c5ba (and the corresponding ImageMagick6 commit f6ffc70) by wrapping the width arguments in MagickMax(..., Cr_image->columns) and MagickMax(..., Ci_image->columns) to ensure the pixel view covers the full extent of the output images [2][3]. Users should upgrade to a version containing these commits. If upgrading is not possible, avoid using the -complex operator with images of mismatched sizes.

References
  1. heap-buffer-overflow in MagickCore/fourier.c
  2. https://github.com/ImageMagick/ImageMagick/issues/1588 · ImageMagick/ImageMagick@7c2c5ba
  3. https://github.com/ImageMagick/ImageMagick/issues/1588 · ImageMagick/ImageMagick6@f6ffc70

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Incorrect column count passed to GetCacheViewVirtualPixels in ComplexImages causes heap-buffer-over-read when source and destination image widths differ."

Attack vector

An attacker provides a crafted image or command-line invocation that causes `ComplexImages` to process images with mismatched dimensions. The reproducer uses `magick` with `-complex subtract` and `-layers compare-overlay` on built-in images (`magick:logo`, `magick:rose`, `magick:granite`) [ref_id=1]. When the destination image (`Cr_image`/`Ci_image`) has more columns than a source image (`Ar_image`, etc.), `GetCacheViewVirtualPixels` reads beyond the source pixel buffer, triggering a heap-buffer-overflow [ref_id=2][ref_id=3]. No authentication or special privileges are required; the attacker only needs to supply a malformed multi-image command.

Affected code

The vulnerability resides in the `ComplexImages` function in `MagickCore/fourier.c`. The bug is at lines 248-251 where `GetCacheViewVirtualPixels` is called with the source image's own column count (`Ar_image->columns`, etc.) rather than the maximum column count among the source and destination images [ref_id=2][ref_id=3]. The ASAN trace confirms the heap-buffer-overflow read at `fourier.c:314:19` within the OpenMP parallel region [ref_id=1].

What the fix does

The patch (commits `7c2c5ba` for ImageMagick 7 and `f6ffc70` for ImageMagick 6) replaces each source-image column argument with `MagickMax(source_columns, destination_columns)` [ref_id=2][ref_id=3]. For example, `Ar_image->columns` becomes `MagickMax(Ar_image->columns, Cr_image->columns)`. This ensures that `GetCacheViewVirtualPixels` requests enough pixels to cover the larger destination image, preventing the out-of-bounds read that occurred when the source image was narrower than the destination.

Preconditions

  • inputThe attacker must supply a command or image set where the destination image (Cr/Ci) has more columns than at least one source image (Ar/Ai/Br/Bi).
  • inputThe `-complex` operator (e.g., `subtract`) must be used to trigger the `ComplexImages` code path.

Reproduction

Run the following command multiple times until the heap-buffer-overflow manifests (the bug is intermittent): `magick "-seed" "0" "-black-point-compensation" "-fuzz" "238" "(" "magick:logo" "-normalize" "-cycle" "615" ")" "(" "magick:rose" "-gaussian-blur" "4" ")" "(" "magick:granite" "-convolve" "207,117,126,202,52,59,196,21,46,216,32,49,172,14,116,115,203,20,219,21,194,58,155,117,148,208,229,218,151,151,171,239,212,207,77,212,81,32,23,137,63,164,67,85,47,13,85,96,85,86,244,168,218,41,98,108,208,221,77,5,45,117,102,5,89,150,47,36,214,0,20,255,14,83,77,191,109,40,32,245,112" ")" "-strokewidth" "58" "-complex" "subtract" "-layers" "compare-overlay" ""` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.