VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2020· Updated Aug 4, 2024

CVE-2020-27771

CVE-2020-27771

Description

Use of values outside the unsigned char range in GetPixelIndex() calls in ImageMagick's PDF coder leads to undefined behavior, potentially causing application crashes when processing crafted PDF files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use of values outside the unsigned char range in GetPixelIndex() calls in ImageMagick's PDF coder leads to undefined behavior, potentially causing application crashes when processing crafted PDF files.

Vulnerability

In RestoreMSCWarning() of /coders/pdf.c, several calls to GetPixelIndex() could produce values outside the representable range of the unsigned char type. This undefined behavior is triggered when ImageMagick processes a crafted PDF file. The flaw affects ImageMagick versions prior to 7.0.9-0 [1]. The patch changes the return type of GetPixelIndex() to ssize_t to avoid the bug.

Exploitation

An attacker would need to supply a specially crafted PDF file to ImageMagick. The application must process the file using the PDF coder, which calls RestoreMSCWarning(). No special authentication or network position is required beyond delivering the malicious file to the processing pipeline [1].

Impact

This undefined behavior could lead to an impact on application availability (denial of service). Red Hat Product Security marked this as Low severity because although it could potentially affect availability, no specific impact was demonstrated in this case [1].

Mitigation

The fix is included in ImageMagick version 7.0.9-0 and later [1]. Users should update to a patched version. For Red Hat Enterprise Linux 5, 6, and 7, this flaw is out of support scope. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8 [1].

References
  1. outside the range of representable values of type 'unsigned char' at coders/pdf.c

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

42

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing type-range check in `RestoreMSCWarning()` allows pixel index values to overflow `unsigned char`, causing undefined behavior."

Attack vector

An attacker crafts a malicious PDF file that, when processed by ImageMagick, triggers calls to `GetPixelIndex()` in `RestoreMSCWarning()` that yield values outside the range of `unsigned char`. This undefined behavior could potentially impact application availability, though no specific exploit was demonstrated [ref_id=1]. The attack vector is local or remote file ingestion, requiring no special privileges beyond the ability to supply a crafted PDF.

Affected code

The flaw resides in the `RestoreMSCWarning()` function within `coders/pdf.c`. Multiple calls to `GetPixelIndex()` in that function can produce values that exceed the representable range of `unsigned char`, leading to undefined behavior.

What the fix does

The patch casts the return value of `GetPixelIndex()` to `ssize_t` instead of allowing it to be implicitly truncated to `unsigned char`. This prevents undefined behavior when the pixel index exceeds the representable range of `unsigned char`. The advisory does not show the exact diff, but the cast to `ssize_t` ensures the value is stored in a signed type large enough to hold the result safely [ref_id=1].

Preconditions

  • inputThe attacker must supply a crafted PDF file to ImageMagick for processing.
  • configImageMagick version must be prior to 7.0.9-0.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.