VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 3, 2020· Updated Aug 4, 2024

CVE-2020-27761

CVE-2020-27761

Description

A size_t overflow in ImageMagick's WritePALMImage() can cause undefined behavior when processing crafted PALM files, potentially leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A size_t overflow in ImageMagick's WritePALMImage() can cause undefined behavior when processing crafted PALM files, potentially leading to denial of service.

Vulnerability

A vulnerability exists in WritePALMImage() in coders/palm.c in ImageMagick versions prior to 7.0.9-0. The function uses size_t casts in several calculations, which can result in values outside the range of the representable type unsigned long, leading to undefined behavior when a crafted input file is processed [1]. The patch changes these casts to ssize_t to avoid the issue.

Exploitation

An attacker would need to provide a specially crafted PALM image file that triggers the integer overflow during the image writing process. The attacker does not require authentication or special privileges beyond the ability to have ImageMagick process the malformed file (e.g., via user interaction or automated processing). [1]

Impact

While Red Hat Product Security rates the severity as Low, the undefined behavior could potentially affect application availability, leading to a denial of service condition. No specific impact (such as arbitrary code execution or information disclosure) was demonstrated in this case. [1]

Mitigation

The fix was introduced in ImageMagick version 7.0.9-0. Users should upgrade to this version or later. Red Hat Enterprise Linux 5, 6, and 7 are considered out of support scope for this flaw and will not receive a fix. [1]

References
  1. outside the range of representable values of type 'unsigned long' at coders/palm.c

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

42

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use of size_t casts in calculations within WritePALMImage() can produce values outside the representable range of unsigned long, leading to undefined behavior."

Attack vector

An attacker crafts a malicious input file that, when processed by ImageMagick's `WritePALMImage()` function, triggers integer calculations that exceed the representable range of `unsigned long`. This undefined behavior could potentially lead to an impact on application availability, though no specific impact was demonstrated [ref_id=1]. The attack vector is local or remote file processing, requiring the victim to open the crafted file with ImageMagick.

Affected code

The vulnerability resides in `WritePALMImage()` in `/coders/palm.c`. The function used `size_t` casts in several areas of a calculation, which could lead to values outside the range of representable type `unsigned long`, causing undefined behavior when a crafted input file is processed by ImageMagick [ref_id=1].

What the fix does

The patch changes `size_t` casts to `ssize_t` casts in the affected calculations within `WritePALMImage()`. By using the signed `ssize_t` type, the calculations avoid overflowing into undefined behavior territory when values exceed the range of `unsigned long`. This ensures that integer arithmetic remains well-defined even for crafted inputs that produce extreme values [ref_id=1].

Preconditions

  • inputThe victim must process a crafted input file with ImageMagick's WritePALMImage() function.
  • inputThe attacker must craft a file that triggers integer calculations exceeding the range of unsigned long.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.