WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. The patch replaces the hardcoded 256 value with a call to MagickMin() to ensure the proper value is used. This could impact application availability when a specially crafted input file is processed by ImageMagick. This flaw affects ImageMagick versions prior to 7.0.8-68.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-12-08T00:00:00

Updated: 2024-08-04T15:40:36.789Z

Reserved: 2020-09-16T00:00:00

Link: CVE-2020-25674

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-12-08T22:15:17.320

Modified: 2024-11-21T05:18:25.833

Link: CVE-2020-25674

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-10-04T00:00:00Z

Links: CVE-2020-25674 - Bugzilla