CVE-2019-13454
Description
ImageMagick 7.0.1-0 through 7.0.8-54 Q16 is vulnerable to a division-by-zero crash in RemoveDuplicateLayers when processing crafted image files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick 7.0.1-0 through 7.0.8-54 Q16 is vulnerable to a division-by-zero crash in RemoveDuplicateLayers when processing crafted image files.
Vulnerability
ImageMagick versions 7.0.1-0 to 7.0.8-54 Q16 contain a division-by-zero bug in the RemoveDuplicateLayers function in MagickCore/layer.c [2]. The flaw occurs at line 1616 where curr->delay*1000/curr->ticks_per_second is computed without checking that curr->ticks_per_second is non-zero [2]. This code path is triggered when the -layers remove-dups option is used on a multi-frame image [2].
Exploitation
An attacker can trigger the vulnerability by crafting a malicious image file that, when processed by ImageMagick with the -layers remove-dups option, causes a division by zero [2]. The attacker does not need authentication; the victim must open the file using a vulnerable version of ImageMagick [1]. The provided proof-of-concept command uses magick with specific arguments to reproduce the crash [2].
Impact
Successful exploitation results in a denial of service (DoS) due to the program crash [1][2]. The Ubuntu security notice also notes that it could possibly lead to arbitrary code execution with the privileges of the user invoking the program [1], though the issue report only demonstrates a crash [2].
Mitigation
The fix was committed in ImageMagick commit 1ddcf2e4f28029a888cadef2e757509ef5047ad8 for version 7 [3] and in ImageMagick6 commit 4f31d78716ac94c85c244efcea368fea202e2ed4 [4]. Ubuntu released updated packages in USN-4192-1 [1]. Users should update to ImageMagick 7.0.8-55 or later, or apply the corresponding patch.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- ImageMagick/ImageMagickdescription
- Range: >=7.0.1-0 <=7.0.8-54
- osv-coords11 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4
< 7.0.7.34-lp151.7.9.1+ 10 more
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 7.0.7.34-lp151.7.9.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 7.0.7.34-3.67.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
- (no CPE)range: < 6.8.8.1-71.126.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing zero-divisor check in RemoveDuplicateLayers allows division by ticks_per_second when that field is zero."
Attack vector
An attacker supplies a crafted image sequence where one frame has a `ticks_per_second` value of zero. When the `-layers remove-dups` operation is invoked, `RemoveDuplicateLayers` iterates over the image list and, upon finding two identical images, attempts to merge their time delays by dividing by `curr->ticks_per_second` [ref_id=1]. Because the divisor is zero, this triggers undefined behavior (division by zero), which the AddressSanitizer log confirms as a runtime error leading to a crash [ref_id=1]. The attack is triggered via a command-line invocation such as `magick "-seed" "0" "-delay" "34
Affected code
The vulnerable function is `RemoveDuplicateLayers` in `MagickCore/layer.c` (ImageMagick 7) and the equivalent in ImageMagick6. The division-by-zero occurs at line 1616 (ImageMagick 7) where `curr->delay*1000/curr->ticks_per_second` is computed without checking whether `curr->ticks_per_second` is zero [ref_id=1].
What the fix does
The patch replaces the direct division `curr->delay*1000/curr->ticks_per_second` with a call to `PerceptibleReciprocal(image->ticks_per_second)` [ref_id=2][ref_id=3]. `PerceptibleReciprocal` returns a safe reciprocal value even when the argument is zero, preventing the division-by-zero. The same change is applied to both the ImageMagick 7 and ImageMagick 6 codebases [ref_id=2][ref_id=3].
Preconditions
- inputThe attacker must provide an image sequence where at least one frame has ticks_per_second set to zero.
- configThe victim must run ImageMagick with the `-layers remove-dups` (or equivalent) operation on the crafted input.
Reproduction
Run the following command against a vulnerable ImageMagick build (7.0.1-0 to 7.0.8-54 Q16): `magick "-seed" "0" "-delay" "34
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.htmlmitrevendor-advisory
- usn.ubuntu.com/4192-1/mitrevendor-advisory
- www.debian.org/security/2020/dsa-4712mitrevendor-advisory
- www.securityfocus.com/bid/109099mitrevdb-entry
- lists.debian.org/debian-lts-announce/2020/08/msg00030.htmlmitremailing-list
- github.com/ImageMagick/ImageMagick/blob/7.0.1-0/MagickCore/layer.cmitre
- github.com/ImageMagick/ImageMagick/commit/1ddcf2e4f28029a888cadef2e757509ef5047ad8mitre
- github.com/ImageMagick/ImageMagick/issues/1629mitre
- github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4mitre
News mentions
0No linked articles in our index yet.