VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2020· Updated Aug 4, 2024

CVE-2020-25664

CVE-2020-25664

Description

A heap-based buffer overflow in ImageMagick's WriteOnePNGImage() via improper memory allocation leads to potential out-of-bounds write, affecting availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in ImageMagick's WriteOnePNGImage() via improper memory allocation leads to potential out-of-bounds write, affecting availability.

Vulnerability

In WriteOnePNGImage() of the PNG coder in coders/png.c, an improper call to AcquireVirtualMemory() and memset() results in an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch adds 256 to rowbytes to correct the allocation. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68 [1].

Exploitation

An attacker must supply a specially crafted PNG image to trigger the vulnerability. No special network position or authentication is required beyond the ability to have the image processed by an affected version of ImageMagick. The exploitation sequence involves the improper memory allocation during PNG encoding leading to a heap-based buffer overflow when PopShortPixel() is later invoked [1].

Impact

Successful exploitation could affect availability with a low impact to data integrity. The out-of-bounds write may lead to a crash or potentially other undefined behavior, depending on the memory layout. The impact is considered low severity [1].

Mitigation

The vulnerability is fixed in ImageMagick versions 6.9.10-68 and 7.0.8-68, released around 2020-12-08 [1]. For users who cannot update, the Red Hat Bugzilla entry notes that Red Hat Enterprise Linux 5, 6, and 7 are out of support scope, and Inkscape (as of RHEL 8) is not affected because it no longer bundles ImageMagick [1]. No other workarounds are provided in the available references.

References
  1. heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient memory allocation in WriteOnePNGImage() causes a heap-based buffer overflow when PopShortPixel() writes pixel data."

Attack vector

An attacker supplies a specially crafted PNG image to ImageMagick. The insufficient memory allocation in `WriteOnePNGImage()` causes a heap-based buffer overflow when `PopShortPixel()` writes pixel data beyond the allocated buffer [ref_id=1]. This can affect availability with a low impact to data integrity.

Affected code

The flaw resides in `WriteOnePNGImage()` in `coders/png.c` and the `PopShortPixel()` macro in `MagickCore/quantum-private.h`. An improper call to `AcquireVirtualMemory()` and `memset()` leads to an out-of-bounds write when `PopShortPixel()` is later invoked [ref_id=1].

What the fix does

The patch adds 256 to `rowbytes` before the `AcquireVirtualMemory()` and `memset()` calls, ensuring the allocated buffer is large enough to accommodate the pixel data written by `PopShortPixel()` [ref_id=1]. This prevents the out-of-bounds write by guaranteeing sufficient memory is reserved.

Preconditions

  • inputThe attacker must supply a specially crafted PNG image file to ImageMagick.
  • configThe vulnerable code path in WriteOnePNGImage() must be exercised.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.