ImageMagick: integer overflows in MNG magnification

Vulnerability

Overview

ImageMagick is a widely used open-source software suite for image editing and manipulation. Prior to versions 6.9.13-27 and 7.1.2-1, the ReadOneMNGImage function in coders/png.c contains an unsafe integer overflow vulnerability. The magnified size calculations, specifically for magnified_height and magnified_width, are computed without proper overflow checks, potentially resulting in memory corruption [1][3]. The root cause lies in how magnification factors from the MNG MAGN chunk are applied during image scaling [1].

Exploitation

Details

The vulnerability is triggered during the processing of the MNG file format, specifically when handling the MAGN (magnification) command. The attacker can craft a malicious MNG file that provides specially crafted magnification values (magn_mb, magn_ml, magn_mr, magn_mt, magn_mx, magn_my). When these values are used in size calculations, an integer overflow can occur, leading to an undersized buffer allocation that is subsequently overwritten [1]. The attack requires no special privileges beyond supplying the malicious file to an application using ImageMagick (e.g., via web upload, email attachment, or automated processing pipeline) [2].

Impact

Successful exploitation results in memory corruption, which could allow an attacker to cause a denial of service (application crash) or potentially execute arbitrary code, depending on the specific exploit and environment. Since ImageMagick is commonly used in server-side image processing and content management systems, the impact is significant [2][3].

Mitigation

The issue has been patched in ImageMagick versions 6.9.13-27 and 7.1.2-1. Users are strongly advised to update to these or later versions. For environments that cannot immediately upgrade, implementing a security policy that disables MNG processing (e.g., via policy.xml) may serve as a temporary workaround [1][2]. A related fix is also included in Magick.NET 14.8.0 [4].