CVE-2022-1270
Description
A heap buffer overflow in GraphicsMagick's MIFF parser allows attackers to trigger memory corruption via a crafted image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in GraphicsMagick's MIFF parser allows attackers to trigger memory corruption via a crafted image.
Vulnerability
A heap buffer overflow exists in GraphicsMagick's MIFF image parser, specifically in the ReadMIFFImage function within coders/miff.c [1]. The issue occurs when processing a specially crafted MIFF file; the fread operation writes beyond the allocated heap buffer region (686 bytes allocated, write of size 6146) [1]. The bug affects GraphicsMagick version 1.4 snapshot-20220322 and potentially earlier versions; the Gentoo security advisory lists all users of GraphicsMagick prior to version 1.3.38 as impacted [2].
Exploitation
An attacker must provide a malicious MIFF file to a victim or service using GraphicsMagick (e.g., via gm identify or image processing workflows) [1]. No authentication or special privileges are required; the file is processed automatically. The overflow is triggered during blob reading (ReadBlob), causing a heap-buffer-overflow with no user interaction beyond file opening [1].
Impact
Successful exploitation results in heap memory corruption, potentially leading to arbitrary code execution with the privileges of the user running GraphicsMagick [2]. The overflow corrupts adjacent heap data, and the Gentoo advisory rates the worst-case impact as arbitrary code execution [2].
Mitigation
A fix is included in GraphicsMagick version 1.3.38 (released prior to the GLSA), and all users are advised to upgrade to that version or later [2]. For systems unable to upgrade, no workaround is available; users should avoid processing untrusted MIFF files [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19(expand)+ 1 more
- (no CPE)
- (no CPE)
- osv-coords17 versionspkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ImageMagick&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/ImageMagick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 1.3.35-150300.3.3.1+ 16 more
- (no CPE)range: < 1.3.35-150300.3.3.1
- (no CPE)range: < 1.3.38-1.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
- (no CPE)range: < 6.8.8.1-71.172.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Heap buffer overflow in ReadMIFFImage when fread writes beyond the allocated buffer during MIFF parsing."
Attack vector
An attacker provides a crafted MIFF file (example.miff) that causes a heap-buffer-overflow when GraphicsMagick attempts to parse it. The overflow occurs in ReadMIFFImage at coders/miff.c:1847 when fread writes 6146 bytes into a 686-byte allocated region [ref_id=1]. The bug is triggered by running `gm identify example.miff` on the malicious file [ref_id=1]. No authentication or special privileges are required beyond the ability to supply the crafted MIFF file to the GraphicsMagick identify command.
Affected code
The vulnerable function is ReadMIFFImage in coders/miff.c at line 1847, which calls fread via ReadBlob (magick/blob.c:3228) [ref_id=1]. The allocation occurs via _MagickReallocateResourceLimitedMemory in magick/memory.c:769 [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports the heap-buffer-overflow in ReadMIFFImage (coders/miff.c:1847) via AddressSanitizer but does not provide a fix or remediation guidance. The vendor bug tracker entry documents the crash but no resolution is shown.
Preconditions
- inputAttacker must supply a crafted MIFF file to GraphicsMagick's identify command
- configGraphicsMagick version 1.4 snapshot-20220322 (or likely other versions with the vulnerable code)
Reproduction
Run `./gm identify example.miff` with the proof-of-concept MIFF file linked in the advisory [ref_id=1]. The AddressSanitizer output confirms a heap-buffer-overflow WRITE of size 6146 at the fread call in ReadMIFFImage.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- security.gentoo.org/glsa/202209-19mitrevendor-advisory
- www.debian.org/security/2022/dsa-5288mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/11/msg00028.htmlmitremailing-list
- sourceforge.net/p/graphicsmagick/bugs/664/mitre
News mentions
0No linked articles in our index yet.