VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2019· Updated Aug 5, 2024

CVE-2019-19949

CVE-2019-19949

Description

In ImageMagick 7.0.8-43 Q16, a heap-based buffer over-read in WritePNGImage's call to LocaleNCompare can cause denial of service via a crafted PNG file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In ImageMagick 7.0.8-43 Q16, a heap-based buffer over-read in WritePNGImage's call to LocaleNCompare can cause denial of service via a crafted PNG file.

Vulnerability

A heap-based buffer over-read exists in ImageMagick version 7.0.8-43 Q16, in the function WritePNGImage within coders/png.c. The bug is triggered via Magick_png_write_raw_profile and LocaleNCompare at coders/png.c:8183. When processing a specially crafted PNG image, a null-terminated string comparison reads beyond the allocated heap buffer by one byte [1].

Exploitation

An attacker need only supply a malicious PNG file. If a user or automated system using ImageMagick opens this crafted image (e.g., via convert $poc ./test.png), the vulnerable code path is reached. No special privileges or network position is required beyond delivering the file to the victim [1][2].

Impact

Successful exploitation of this heap-buffer-over-read can cause a crash (denial of service). The Ubuntu security advisory notes that the impact is unspecified but may include other consequences; however, the advisory prioritizes denial of service as the primary outcome [2]. The read is limited to one byte beyond the allocated region [1].

Mitigation

The vulnerability is fixed in ImageMagick versions released after 7.0.8-43. Ubuntu published a security update (USN-4549-1) on 28 September 2020 addressing this CVE (alongside CVE-2019-19948) for its supported releases. Users should update their ImageMagick packages to the latest version. No workaround is documented if an immediate update is not possible [2].

References
  1. heap-buffer-overflow in WritePNGImage of png.c
  2. USN-4549-1: ImageMagick vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Heap-based buffer over-read in Magick_png_write_raw_profile when LocaleNCompare reads past the end of a 1-byte allocated region."

Attack vector

An attacker provides a crafted PNG image with a malformed profile chunk. When ImageMagick's `convert` command processes this image via `WritePNGImage` [ref_id=1], the function `Magick_png_write_raw_profile` at `coders/png.c:8183` calls `LocaleNCompare` on a profile string that was allocated as only 1 byte [ref_id=1]. The comparison reads beyond that allocation, triggering a heap-buffer-overflow [ref_id=1]. No authentication or special privileges are required; the attacker only needs to supply the malicious image file to the victim's ImageMagick processing pipeline.

Affected code

The vulnerable code is in `coders/png.c`, function `WritePNGImage` (line 12744), which calls `WriteOnePNGImage` (line 11083), which in turn calls `Magick_png_write_raw_profile` (line 8183). The over-read occurs when `Magick_png_write_raw_profile` invokes `LocaleNCompare` at `MagickCore/locale.c:1581` on a 1-byte heap allocation [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] identifies the bug as a heap-buffer-overflow in `WritePNGImage` of `coders/png.c`, specifically in `Magick_png_write_raw_profile` at line 8183 and `LocaleNCompare` at `MagickCore/locale.c:1581`. A proper fix would need to ensure that the profile string passed to `LocaleNCompare` is null-terminated or that its length is validated before comparison, preventing reads beyond the allocated buffer.

Preconditions

  • inputVictim must process a crafted PNG image using ImageMagick's convert command or any API that triggers WritePNGImage.
  • authNo authentication or special privileges required; the attacker supplies the malicious file.

Reproduction

The issue reporter provides a PoC file (referenced as "poc" in the issue) and the command `magick convert $poc ./test.png` [ref_id=1]. Running this command with AddressSanitizer enabled reproduces the heap-buffer-overflow at the call stack shown in the report [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.