In ImageMagick, there is a heap-buffer-overflow at MagickCore/quantum-private.h:227 in PopShortPixel.
Name: Suhwan Song (Seoul National University)
This looks like the fix for CVE-2020-25664 was an incomplete fix hence the second reproducer which triggers the same thing via the same code path after the patch was applied.
This flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8. For more information regarding support scopes, please see https://access.redhat.com/support/policy/updates/errata .
Created ImageMagick tracking bugs for this issue:
Affects: epel-8 [bug 1901247]
Affects: fedora-all [bug 1901248]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):