ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)

Vulnerability

Description

ImageMagick versions prior to 7.1.2-8 contain a denial-of-service vulnerability in the CLAHEImage function located in MagickCore/enhance.c. The root cause is improper handling of tile dimensions: when the tile width or height is zero, an unsigned integer underflow occurs in pointer arithmetic (e.g., tile.height - 1 wrapping to UINT_MAX), leading to out-of-bounds memory access. Additionally, division-by-zero is triggered when code performs modulo or division operations with a zero tile dimension without prior validation [1][2].

Exploitation

An attacker can exploit this vulnerability by supplying a crafted image file that specifies a zero tile size, such as via the -clahe 0x0! command-line option, or by providing a very small image that results in derived tile dimensions of zero. No authentication is required; any application or service that uses ImageMagick to process user-supplied images may be affected. The vulnerability can be triggered remotely if the application processes attacker-controlled images [2].

Impact

Successful exploitation causes a denial-of-service condition: the application may crash due to a segmentation fault (SIGSEGV) from out-of-bounds access or an immediate abort from division-by-zero. Under memory sanitizers, memory corruption may also be detected. The vulnerability does not lead to remote code execution but can be used to disrupt services relying on ImageMagick [1][2][3].

Mitigation

The issue has been patched in ImageMagick version 7.1.2-8. Users should update to this or a later version. The commit 7b47fe369eda90483402fcd3d78fa4167d3bb129 in the official repository contains the fix, which adds validation for tile dimensions and prevents the underflow and division-by-zero conditions [4].