CVE-2019-19953
Description
A heap-buffer-overread in GraphicsMagick's EncodeImage function (coders/pict.c) can cause a crash or information disclosure when processing a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overread in GraphicsMagick's EncodeImage function (coders/pict.c) can cause a crash or information disclosure when processing a crafted file.
Vulnerability
A heap-based buffer over-read exists in the EncodeImage function of coders/pict.c in GraphicsMagick 1.4 snapshot-20191208 Q8. The bug is triggered when a crafted .webp file is converted to the PICT format using the gm convert command. The out-of-bounds read occurs at line 1067, accessing memory one byte before a 65536-byte heap buffer allocated in WritePICTImage [1].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted image file (e.g., a .webp file) and convincing a user or automated process to convert it to PICT format using GraphicsMagick's convert command. No authentication is required, but the victim must perform the conversion action. The issue is reachable via the standard command-line interface as shown in the reproduction steps provided in the bug report [1].
Impact
Successful exploitation leads to a heap-buffer-overread, which may result in a segmentation fault (crash) or the disclosure of adjacent heap memory content. In the worst case, this could leak sensitive information from the process's memory, though the primary impact is denial of service due to the crash. The vulnerability does not provide direct code execution capability according to the available references [1].
Mitigation
The bug was reported and acknowledged in the GraphicsMagick bug tracker, but no patched version has been explicitly released in the references provided. Users should monitor the GraphicsMagick project for an updated snapshot or release that fixes this issue. As a workaround, avoid processing untrusted image files with the gm convert command until a fix is applied [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- GraphicsMagick/GraphicsMagickdescription
- Range: = 1.4 snapshot-20191208 Q8
- osv-coords2 versionspkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.3.29-lp151.4.14.1+ 1 more
- (no CPE)range: < 1.3.29-lp151.4.14.1
- (no CPE)range: < 1.3.29-bp151.5.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A heap-based buffer over-read occurs in the EncodeImage function due to improper handling of image data."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted WebP image file to the GraphicsMagick utility. The conversion process, specifically when using the `gm convert` command, leads to the vulnerable `EncodeImage` function being called. This results in an out-of-bounds read when processing the image data, potentially leading to a crash or other memory corruption issues [ref_id=1].
Affected code
The vulnerability resides in the `EncodeImage` function located in the `coders/pict.c` file. The stack trace points to line 1067 within `EncodeImage` as the location of the heap-based buffer over-read [ref_id=1]. This function is called during the image conversion process, specifically when writing PICT images.
What the fix does
The patch does not show the specific code changes made to address the vulnerability. However, the advisory indicates that the issue is resolved in later versions of GraphicsMagick. The fix likely involves ensuring that the size of the data being read does not exceed the allocated buffer boundaries within the `EncodeImage` function.
Preconditions
- inputThe attacker must provide a specially crafted WebP image file.
- configThe system must have GraphicsMagick version 1.4 snapshot-20191208 Q8 or a similar vulnerable version installed.
Reproduction
The following command can be used to reproduce the vulnerability: `/home/graphicsmagick/utilities/gm convert ./heap-buffer-overflow-READ-0x08417e7a.webp ./test.pct` [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2020-01/msg00026.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-01/msg00064.htmlmitrevendor-advisoryx_refsource_SUSE
- www.debian.org/security/2020/dsa-4640mitrevendor-advisoryx_refsource_DEBIAN
- hg.graphicsmagick.org/hg/GraphicsMagick/rev/28f8bacd4bbfmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/01/msg00029.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/graphicsmagick/bugs/617/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.