Bug 2494108

Summary: CVE-2026-13606 GraphicsMagick: GraphicsMagick: Memory corruption via crafted Photo CD (PCD) file [fedora-all]
Product: [Fedora] Fedora Reporter: Michal Findra <mfindra>
Component: GraphicsMagickAssignee: Andreas Thienemann <andreas>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: andreas, davide, michel, ngompa13
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["bef27955-50fa-4d96-8dff-bab25a0be2f7"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2494107    

Description Michal Findra 2026-06-29 08:39:18 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

GraphicsMagick's PCD decoder allocated the per-channel Huffman decode buffers at an exact fit (columns*rows + 1 byte) and advanced the write pointer in the decode loop with an unbounded "q++" and no per-write bound check. A crafted PCD file can drive the pointer past the end of the allocation, producing an attacker-controlled out-of-bounds write (and a preceding out-of-bounds read at the same site). This is the un-ported write-side half of ImageMagick's hardening for CVE-2026-26284: GraphicsMagick had ported ImageMagick's out-of-bounds READ fix (changeset 44292e321682) but not the per-write bound and buffer over-allocation, leaving the write path unguarded. The upstream fix over-provisions the decode buffers and adds an overflow-detection check before each write.

Reachability:
The sink is reached when decoding a PCD page/subimage index >= 4 (e.g. "PCD:file[4]") or with a "-size >= 1536x1024" read hint; a bare default decode does not reach it. PCD is content-detected by its magic, so the extension is not a barrier.

Impact:
The write is value- and offset-controlled. We demonstrated corruption of an adjacent heap allocation's allocator metadata leading to free() of an attacker-influenced pointer (ASLR-independent in our lab). Remote code execution was not demonstrated and is not claimed.

Relationship to existing CVEs:
Not a duplicate of CVE-2026-26284 (that is the out-of-bounds READ, which GraphicsMagick already ported). No existing GraphicsMagick CVE or advisory covers this PCD write path.