CVE-2022-0284
Description
A heap-buffer-over-read in ImageMagick's GetPixelAlpha() when converting a crafted TIFF to PICON can lead to denial of service and information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-over-read in ImageMagick's GetPixelAlpha() when converting a crafted TIFF to PICON can lead to denial of service and information disclosure.
Vulnerability
A heap-based buffer over-read vulnerability exists in the GetPixelAlpha() function in pixel-accessor.h of ImageMagick. It is triggered when a specially crafted Tagged Image File Format (TIFF) image is converted to a PICON file format. The bug affects ImageMagick version 7.1.0-20 (commit f54aa4e) and earlier. The root cause is that WritePICONImage() in coders/xpm.c calls GetPixelAlpha(image,q) instead of GetPixelAlpha(picon,q), reading from the wrong image object and causing an out-of-bounds read [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a malicious TIFF image and triggering a conversion to PICON format (e.g., via magick convert input.tiff output.picon). No authentication or special privileges are required; the attacker only needs to convince a user or automated system to process the crafted file. The over-read occurs during the write operation, as demonstrated by the AddressSanitizer stack trace [2].
Impact
Successful exploitation results in a heap-buffer-over-read, which can cause a denial of service (application crash) and potential disclosure of sensitive heap memory contents. Based on available information, the vulnerability does not allow remote code execution [1][4].
Mitigation
The issue was fixed in commit e50f19fd73c792ebe912df8ab83aa51a243a3da7 by correcting the image pointer in WritePICONImage() [3]. Users should update to a version of ImageMagick that includes this fix (e.g., 7.1.0-21 or later). If an immediate update is not possible, avoid converting untrusted TIFF files to PICON format as a workaround [1][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords12 versionspkg:apk/chainguard/imagemagick-6pkg:apk/chainguard/imagemagick-6-devpkg:apk/chainguard/imagemagick-6-docpkg:apk/chainguard/imagemagick-6-staticpkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1
< 0+ 11 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.0.7.34-10.21.1
- (no CPE)range: < 7.1.1.17-1.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-10.21.1
- (no CPE)range: < 7.0.7.34-10.21.1
- (no CPE)range: < 7.0.7.34-10.21.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use of the wrong image pointer (`image` instead of `picon`) in `GetPixelAlpha()` calls within `WritePICONImage()` causes a heap-buffer-overflow read."
Attack vector
An attacker supplies a specially crafted Tagged Image File Format (TIFF) image. When ImageMagick's `convert` utility processes this TIFF into a PICON file, the `WritePICONImage()` function calls `GetPixelAlpha()` on the wrong image object (`image` instead of `picon`), causing a read beyond the allocated heap buffer for the `picon` image [ref_id=1][ref_id=2]. The attacker does not need authentication; the only precondition is that the victim invokes the conversion on the malicious file [ref_id=1].
Affected code
The heap-buffer-overflow read occurs in `GetPixelAlpha()` at `MagickCore/pixel-accessor.h:59` [ref_id=1]. The call chain shows the crash is triggered from `WritePICONImage()` in `coders/xpm.c` at lines 807 and 775 [ref_id=1]. The patch modifies two `GetPixelAlpha()` calls in `WritePICONImage()` that were incorrectly reading from the `image` pointer instead of the `picon` pointer [ref_id=2].
What the fix does
The patch [ref_id=2] changes two `GetPixelAlpha()` calls in `WritePICONImage()` from `GetPixelAlpha(image,q)` to `GetPixelAlpha(picon,q)`. The `picon` image is a quantized/colormapped version derived from the original `image`, and it may have a smaller pixel cache. Reading alpha from the larger `image` object using the `picon` pixel iterator `q` caused an out-of-bounds read. Using the correct `picon` pointer ensures the read stays within the allocated buffer for the colormapped image.
Preconditions
- inputVictim must use ImageMagick to convert a crafted TIFF file to PICON format.
- authNo authentication required; the attacker only needs to supply the malicious file.
Reproduction
Build ImageMagick with AddressSanitizer (`./configure CC=gcc CFLAGS="-g -fsanitize=address" && make`), then run `./magick convert /path/to/poc.tiff output.picon` using a crafted TIFF file [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- access.redhat.com/security/cve/CVE-2022-0284mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7mitrex_refsource_MISC
- github.com/ImageMagick/ImageMagick/issues/4729mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.