Headline
CVE-2020-25664: heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h
In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68.
Comment 1 Todd Cullum 2020-10-28 20:40:05 UTC
Flaw summary:
In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity.
Comment 2 Todd Cullum 2020-10-28 21:13:09 UTC
Acknowledgments:
Name: Suhwan Song (Seoul National University)
Comment 3 Todd Cullum 2020-10-29 19:10:26 UTC
Statement:
This flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8. For more information regarding support scopes, please see https://access.redhat.com/support/policy/updates/errata .
Comment 4 Guilherme de Almeida Suckevicz 2020-11-24 18:57:40 UTC
Created ImageMagick tracking bugs for this issue:
Affects: epel-8 [bug 1901225] Affects: fedora-all [bug 1901226]