GHSA-6hjr-v6g4-3fm8
ImageMagick is vulnerable to an integer Overflow in TIM decoder leading to out of bounds read (32-bit only)
Details
### Summary The TIM (PSX TIM) image parser in ImageMagick contains a critical integer overflow vulnerability in the `ReadTIMImage` function (`coders/tim.c`). The code reads `width` and `height` (16-bit values) from the file header and calculates `image_size = 2 * width * height` without checking for overflow. On 32-bit systems (or where `size_t` is 32-bit), this calculation can overflow if `width` and `height` are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via `AcquireQuantumMemory` and later operations relying on the dimensions can trigger an out of bounds read. ### Vulnerable Code File: `coders/tim.c` ```c width=ReadBlobLSBShort(image); height=ReadBlobLSBShort(image); image_size=2*width*height; // Line 234 - NO OVERFLOW CHECK! ```
### Impact This vulnerability can lead to Arbitrary Memory Disclosure due to an out of bounds read on 32-bit systems.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 14.10.0 dotnet add package Magick.NET-Q16-AnyCPU --version 14.10.0 0 Fixed in: 14.10.0 dotnet add package Magick.NET-Q16-HDRI-AnyCPU --version 14.10.0 0 Fixed in: 14.10.0 dotnet add package Magick.NET-Q16-HDRI-x86 --version 14.10.0 0 Fixed in: 14.10.0 dotnet add package Magick.NET-Q16-x86 --version 14.10.0 0 Fixed in: 14.10.0 dotnet add package Magick.NET-Q8-AnyCPU --version 14.10.0 0 Fixed in: 14.10.0 dotnet add package Magick.NET-Q8-x86 --version 14.10.0