VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 18, 2019· Updated Aug 5, 2024

CVE-2019-15141

CVE-2019-15141

Description

A heap-buffer-overread in ImageMagick 7.0.8-43 Q16's WriteTIFFImage causes denial-of-service via crafted TIFF files, due to an incomplete fix for CVE-2019-11597.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-overread in ImageMagick 7.0.8-43 Q16's WriteTIFFImage causes denial-of-service via crafted TIFF files, due to an incomplete fix for CVE-2019-11597.

Vulnerability

A heap-based buffer over-read vulnerability exists in WriteTIFFImage in coders/tiff.c of ImageMagick 7.0.8-43 Q16 and possibly earlier versions. The bug occurs when processing a crafted TIFF image file, particularly during calls to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in LibTIFF's tif_dirwrite.c. This issue arises because the patch for CVE-2019-11597 was incomplete; the earlier fix did not address the root cause, leading to a continued buffer over-read when the TIFF library writes directory tags. The vulnerability can be triggered using the convert utility on a malicious input file [1].

Exploitation

An attacker can trigger the vulnerability by supplying a specially crafted TIFF file to ImageMagick's convert command (e.g., convert $FILE /dev/null). No special privileges are required beyond the ability to provide the malicious file to the victim's ImageMagick process. The exploitation does not require authentication; the file may be delivered via email, web upload, or any other means that results in ImageMagick processing it. The crash occurs during the TIFF writing phase, specifically in the WriteTIFFImage function at coders/tiff.c:4324, where a large memcpy (size 131072) over-reads heap memory [1].

Impact

Successful exploitation results in a denial-of-service (DoS) condition: the application crashes due to a heap-based buffer over-read. This is a read operation, so no code execution or data corruption is expected, but the crash terminates the ImageMagick process, impacting availability. The crash may also produce an unrecoverable error in surrounding workflows that use ImageMagick for batch processing [1].

Mitigation

ImageMagick 7 users should upgrade to a version that includes the complete fix. The ImageMagick6 repository addressed the issue in commit 3c53413eb544cc567309b4c86485eae43e956112, which modifies WriteTIFFImage to check the return value of TIFFWriteDirectory and handle failure properly, and corrects the error return logic [2]. Users unable to immediately upgrade may consider disabling TIFF support or processing untrusted TIFF files only in sandboxed environments. No public KEV listing is known at this time.

References
  1. AddressSanitizer: heap-buffer-overflow at coders/tiff.c:4324
  2. https://github.com/ImageMagick/ImageMagick/issues/1560 · ImageMagick/ImageMagick6@3c53413

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Incomplete fix for CVE-2019-11597: `WriteTIFFImage` does not check the return value of `TIFFWriteDirectory`, allowing a heap-buffer-overflow read in LibTIFF's `TIFFWriteDirectoryTagColormap` when processing a crafted TIFF file."

Attack vector

An attacker supplies a crafted TIFF image file that, when processed by ImageMagick's `convert` command (e.g., `convert $FILE /dev/null`), triggers a heap-buffer-overflow read of size 131072 bytes [ref_id=1]. The overflow occurs during the TIFF directory writing path: `TIFFRewriteDirectory` → `TIFFWriteDirectory` → `TIFFWriteDirectorySec` → `TIFFWriteDirectoryTagColormap`, where `_TIFFmemcpy` reads past the end of an undersized heap buffer [ref_id=1]. The buffer was allocated via `_TIFFmalloc` → `setByteArray` → `_TIFFsetShortArray` when `TIFFSetField` was called from `WriteTIFFImage` at line 4262 [ref_id=1]. No authentication or special privileges are required; the attacker only needs to deliver the malformed TIFF file to the victim.

Affected code

The crash occurs in `WriteTIFFImage` in `coders/tiff.c` at line 4324 [ref_id=1]. The underlying heap-buffer-overflow is triggered inside LibTIFF functions `TIFFRewriteDirectory`, `TIFFWriteDirectory`, `TIFFWriteDirectorySec`, and `TIFFWriteDirectoryTagColormap` in `tif_dirwrite.c` [ref_id=1]. The patch modifies the same `coders/tiff.c` file, specifically the loop that calls `TIFFWriteDirectory` and the final return statement [ref_id=2].

What the fix does

The patch [ref_id=2] addresses the incomplete fix for CVE-2019-11597 by checking the return value of `TIFFWriteDirectory(tiff)`. Previously the code called `(void) TIFFWriteDirectory(tiff)` unconditionally and only broke out of the loop if `image->exception.severity > ErrorException`. The patch replaces this with `if (TIFFWriteDirectory(tiff) == 0) { status=MagickFalse; break; }`, so a failure in `TIFFWriteDirectory` immediately sets the status to false and exits the loop. Additionally, the final return statement was changed from `return(image->exception.severity > ErrorException ? MagickFalse : MagickTrue)` to `return(status)`, ensuring the function returns the actual operation status rather than relying solely on the exception severity.

Preconditions

  • inputVictim must process a crafted TIFF image file using ImageMagick (e.g., via `convert`).
  • authNo authentication or special privileges required; the attacker only needs to deliver the file.

Reproduction

Run `convert $FILE /dev/null` with a crafted TIFF file that triggers the heap-buffer-overflow. The issue reporter notes that the PoC file is available at the linked GitHub issue [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.