Bug 1164248 (CVE-2014-8716) - CVE-2014-8716 ImageMagick: out-of-bounds memory error in JPEG decoder
Summary: CVE-2014-8716 ImageMagick: out-of-bounds memory error in JPEG decoder
Alias: CVE-2014-8716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=low,public=20141113,reported=2...
Keywords: Security
Depends On:
Blocks: 1158527
TreeView+ depends on / blocked
Reported: 2014-11-14 12:59 UTC by Martin Prpič
Modified: 2019-06-08 20:16 UTC (History)
15 users (show)

Clone Of:
Last Closed: 2015-08-03 06:40:37 UTC

Attachments (Terms of Use)

Description Martin Prpič 2014-11-14 12:59:20 UTC
An out-of-bounds memory access flaw was found in ImageMagick's JPEG decoder. A local attacker could potentially use this flaw to crash an application using ImageMagick to process a specially crafted JPEG image.

The fix for this issue is available at:


The reproducer (a specially crafted JPEG image) along with additional information on this flaw can be found at:


Comment 3 Siddharth Sharma 2015-05-29 02:10:49 UTC

In the following code of ImageMagick in magic/property.c


            The directory entry contains an offset.

1. offset is being initialized depending on a function parameter which can be reached externally.

2. Overflow is prevented 
          offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8));
          if ((offset+number_bytes) < (size_t) offset)
            continue;  /* prevent overflow */

3. Condition for Underflow is missing, hence the value of the offset is not sanitized here for underflow. If value of offset is less than 0 then it can cause program to crash.

          if ((size_t) (offset+number_bytes) > length)
          p=(unsigned char *) (exif+offset);

Comment 4 Siddharth Sharma 2015-07-13 10:35:44 UTC

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in ImageMagick.

Note You need to log in before you can comment on or make changes to this bug.