ImageMagick has a heap buffer overflow in YUV 4:2:2 decoder

A heap buffer overflow write vulnerability exists in the ReadYUVImage() function within coders/yuv.c of ImageMagick [1][2][4]. The issue arises when processing specially crafted YUV 4:2:2 images with the NoInterlace variant. During pixel-pair decode loops, the routine writes one pixel beyond the allocated row buffer, leading to an out-of-bounds memory write [4]. The flaw is classified as a heap buffer overflow, and sanitizer output confirms the write occurs on the heap [4].

The attack surface is exposed through any vector that causes ImageMagick to decode a malicious YUV file. This includes user-uploaded images processed by web applications, automated image pipelines, or direct command-line invocation (convert, identify, etc.) [1][2]. The vulnerability requires no special privileges; an attacker only needs to supply a crafted YUV image. Since ImageMagick auto-detects and decodes many formats, opening a manipulated file is sufficient to trigger the overflow [1][4].

Impact: successful exploitation of the heap overflow can result in application crashes or, as with many heap overflows, potentially arbitrary code execution in the context of the process [2][4]. The CVSS score is pending, but the advisory notes a heap-buffer-overflow of 8 bytes, which could corrupt adjacent heap metadata or data [4].

The vulnerability affects all ImageMagick distributions prior to versions 7.1.2-15 and 6.9.13-40 [2][4]. These versions contain the proper bounds check and fix the overflow. Users should update immediately. The fix is also included in downstream wrappers such as Magick.NET release 14.10.3 [3]. No workaround is documented for unpatched versions; a security policy can restrict YUV handling to reduce risk [1][4].