VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 24, 2020· Updated Aug 4, 2024

CVE-2020-10938

CVE-2020-10938

Description

GraphicsMagick before 1.3.35 has an integer overflow leading to a heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GraphicsMagick before 1.3.35 has an integer overflow leading to a heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.

Vulnerability

GraphicsMagick versions before 1.3.35 contain an integer overflow that results in a heap-based buffer overflow in the HuffmanDecodeImage function in magick/compress.c. The vulnerability occurs when processing specially crafted image files that trigger incorrect buffer size calculations during Huffman decoding, allowing a write beyond the allocated heap buffer. This is reachable when GraphicsMagick processes untrusted image files via any supported input format that uses Huffman decoding.

Exploitation

An attacker can exploit this vulnerability by providing a malicious image file to a user or service using GraphicsMagick to process images. No authentication or special network position is required; the attack vector is local or remote file processing. The attacker crafts a file that, when decoded by HuffmanDecodeImage, triggers the integer overflow and subsequent heap-based out-of-bounds write.

Impact

Successful exploitation can lead to arbitrary code execution in the context of the GraphicsMagick process, or denial of service via application crash. The heap-based buffer overflow can be leveraged by an attacker to corrupt memory and potentially achieve remote code execution if the application processes images from untrusted sources.

Mitigation

The vulnerability is fixed in GraphicsMagick version 1.3.35, released on or around February 23, 2020 [1]. Users should upgrade to version 1.3.35 or later. There is no known workaround for this issue; users running earlier versions should apply the patch immediately.

References
  1. GraphicsMagick / Code

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Integer overflow in HuffmanDecodeImage in magick/compress.c leads to undersized heap buffer allocation and subsequent heap-based buffer overflow."

Attack vector

An attacker crafts a malicious image file that triggers an integer overflow during Huffman decoding in `HuffmanDecodeImage`. The overflow leads to an undersized heap buffer allocation, and subsequent decoding writes beyond the allocated buffer, causing a heap-based buffer overflow. No authentication is required; the attack vector is network-based if the victim processes the crafted image via GraphicsMagick.

Affected code

The vulnerability resides in `HuffmanDecodeImage` in `magick/compress.c`. The patch is part of the GraphicsMagick 1.3.35 release merge commit `5b4dd7c6674140a115ec9424c8d19c6a458fac3e`.

What the fix does

The patch merges changes for version 1.3.35, which includes fixes for the integer overflow in `HuffmanDecodeImage`. While the exact diff lines are not shown in the provided reference, the advisory states that the fix addresses the integer overflow that previously allowed an undersized heap allocation, thereby preventing the subsequent heap-based buffer overflow.

Preconditions

  • inputThe victim must process a crafted image file using GraphicsMagick.
  • authNo authentication or special privileges required.
  • networkAttack can be delivered over the network (e.g., via a web service that processes user-uploaded images).

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.