ImageMagick - Heap Out-of-Bounds Read in PSB RLE Decoding
Description
ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <6.9.13-40
- Range: <6.9.13-40, <7.1.2-15
Patches
Vulnerability mechanics
Root cause
"Integer overflow in PSB RLE decoding size arithmetic in ReadPSDChannelRLE causes a heap out-of-bounds read on 32-bit builds."
Attack vector
An attacker crafts a malicious PSB (PSD v2) file with RLE-encoded channel data designed to trigger an integer overflow during size arithmetic in `ReadPSDChannelRLE`. The overflow causes the decoder to compute an incorrect buffer length, resulting in a heap out-of-bounds read. The attack requires network delivery of the crafted file and is constrained to 32-bit builds, though the advisory does not specify a particular delivery vector [ref_id=1].
Affected code
The integer overflow resides in `ReadPSDChannelRLE` in `coders/psd.c`. On 32-bit builds, arithmetic in the RLE decoding path for PSB (PSD v2) files can overflow, leading to a heap out-of-bounds read. The advisory notes that ImageMagick versions before 7.1.2-15 and 6.9.x before 6.9.13-40 are affected [ref_id=1].
What the fix does
The patch (not shown in the bundle) is expected to add overflow-safe arithmetic or bounds checking in the RLE decoding path of `ReadPSDChannelRLE`. The advisory states that versions 7.1.2-15 and 6.9.13-40 contain the fix, which prevents the integer overflow that leads to the heap out-of-bounds read on 32-bit builds [ref_id=1].
Preconditions
- configThe vulnerable build must be 32-bit; the advisory explicitly states the overflow manifests on 32-bit builds
- inputThe attacker must supply a crafted PSB (PSD v2) file with RLE-encoded channel data
- inputThe victim must open the malicious file with an affected version of ImageMagick
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-273h-m46v-96q4mitrevendor-advisory
- www.vulncheck.com/advisories/imagemagick-heap-out-of-bounds-read-in-psb-rle-decodingmitrethird-party-advisory
News mentions
0No linked articles in our index yet.