VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2020· Updated Aug 4, 2024

CVE-2020-25674

CVE-2020-25674

Description

A heap-buffer-overflow in ImageMagick's PNG encoder can cause denial of service via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-overflow in ImageMagick's PNG encoder can cause denial of service via crafted input.

Vulnerability

A heap-buffer-overflow vulnerability exists in the WriteOnePNGImage() function in coders/png.c of ImageMagick. The issue lies in a for loop that unconditionally iterates 256 times to process colormap data, even when the colormap contains fewer than 256 valid entries. This leads to an out-of-bounds read when accessing invalid colormap indices. The flaw affects ImageMagick versions prior to 7.0.8-68 [1].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted PNG file to ImageMagick for processing. No special privileges are required; the file can be processed via any interface that uses ImageMagick to handle PNG images. The out-of-bounds read occurs when the loop attempts to pass invalid colormap data to the event logger [1].

Impact

Successful exploitation results in a heap-buffer-overflow read, which can cause the application to crash, leading to a denial of service. There is no evidence of arbitrary code execution or information disclosure from this vulnerability [1].

Mitigation

The vulnerability is fixed in ImageMagick version 7.0.8-68. Users should upgrade to this version or later. Red Hat has stated that this flaw is out of support scope for RHEL 5, 6, and 7. No other workarounds are documented [1].

References
  1. heap-based buffer overflow in WriteOnePNGImage in coders/png.c

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

40

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A for loop in WriteOnePNGImage() uses a hardcoded bound of 256 iterations instead of the actual colormap size, causing an out-of-bounds heap-buffer-overflow read."

Attack vector

An attacker supplies a specially crafted PNG file whose colormap contains fewer than 256 valid entries. When ImageMagick processes this file, the loop in `WriteOnePNGImage()` iterates 256 times regardless of the actual colormap size, reading beyond the allocated buffer. This heap-buffer-overflow read can crash the application, impacting availability [ref_id=1].

Affected code

The flaw resides in `WriteOnePNGImage()` in `coders/png.c`. A `for` loop uses a hardcoded upper bound of 256 iterations, but the colormap may contain fewer than 256 valid entries, causing an out-of-bounds heap-buffer-overflow read when invalid colormap data is passed to the event logger.

What the fix does

The patch replaces the hardcoded literal `256` with a call to `MagickMin()` that compares the colormap's actual number of colors against 256, ensuring the loop never iterates beyond the valid colormap entries. This prevents the out-of-bounds read by using the smaller of the two values as the loop bound [ref_id=1].

Preconditions

  • inputThe attacker must supply a PNG file with a colormap containing fewer than 256 valid entries.
  • configThe victim must process the crafted file using an affected version of ImageMagick (prior to 7.0.8-68).

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.