CVE-2019-19948
Description
A heap-based buffer overflow in ImageMagick 7.0.8-43 Q16 WriteSGIImage function allows denial of service or code execution via crafted SGI files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in ImageMagick 7.0.8-43 Q16 WriteSGIImage function allows denial of service or code execution via crafted SGI files.
Vulnerability
In ImageMagick 7.0.8-43 Q16, the function WriteSGIImage in coders/sgi.c contains a heap-based buffer overflow. The issue occurs when processing a specially crafted SGI image file; the write operation at line 1051 accesses memory 8 bytes before an allocated 524288-byte region, leading to a heap-buffer-overflow. The affected version is ImageMagick 7.0.8-43 Q16 [1].
Exploitation
An attacker must supply a malicious SGI file that triggers the overflow when ImageMagick attempts to convert or write the image using the convert command or similar operation. The exploit vector is through file processing, requiring no special privileges—any user who can open the crafted file (e.g., via magick convert or web uploads) can trigger the vulnerability. The attack does not need authentication beyond local file access [1].
Impact
A successful exploit can cause a heap-buffer-overflow, potentially leading to application crash (denial of service) or arbitrary code execution in the context of the affected process. The overflow is classified as a high-severity issue due to the possibility of remote code execution via crafted image files [1].
Mitigation
As of the publication date (2019-12-24), no patched version has been released. The vendor was notified via the issue tracker [1]. Users should refrain from processing untrusted SGI files. Monitor vendor updates for a fix; the issue is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog. If no patch is forthcoming, consider removing support for the SGI format or using alternative image libraries.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16- ImageMagick/ImageMagickdescription
- Range: = 7.0.8-43 Q16
- osv-coords14 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 7.0.7.34-lp151.7.15.1+ 13 more
- (no CPE)range: < 7.0.7.34-lp151.7.15.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 7.0.7.34-3.79.1
- (no CPE)range: < 7.0.7.34-3.79.1
- (no CPE)range: < 7.0.7.34-3.79.1
- (no CPE)range: < 7.0.7.34-3.79.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
- (no CPE)range: < 6.8.8.1-71.141.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check when writing pixel data in WriteSGIImage allows a heap-buffer-overflow write 8 bytes before the allocated buffer."
Attack vector
An attacker provides a crafted SGI image file that, when processed by ImageMagick's convert command, triggers a heap-buffer-overflow in the WriteSGIImage function at coders/sgi.c:1051 [ref_id=1]. The overflow is a write of size 1 occurring 8 bytes to the left of a 524288-byte heap region allocated at line 1030 of the same function [ref_id=1]. The attack requires no special privileges — any user or service that invokes ImageMagick to convert a malicious SGI file can trigger the vulnerability.
Affected code
The vulnerable function is WriteSGIImage in coders/sgi.c, specifically at line 1051 where a heap-buffer-overflow write occurs [ref_id=1]. The buffer is allocated at line 1030 via AcquireVirtualMemory [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the heap-buffer-overflow at coders/sgi.c:1051 in WriteSGIImage, with the buffer allocated at line 1030. A proper fix would add validation of the SGI image dimensions or pixel data size before writing, ensuring the write offset does not underflow the allocated buffer.
Preconditions
- inputAttacker must supply a crafted SGI image file that triggers the overflow
- executionThe victim must run ImageMagick's convert command (or any code path calling WriteSGIImage) on the malicious file
Reproduction
Run `magick convert $poc ./test.sgi` where `$poc` is a crafted SGI file. The AddressSanitizer output confirms a heap-buffer-overflow WRITE of size 1 at coders/sgi.c:1051 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2020-02/msg00006.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4549-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4712mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4715mitrevendor-advisoryx_refsource_DEBIAN
- github.com/ImageMagick/ImageMagick/issues/1562mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00033.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.