2421159 – (CVE-2025-66628) CVE-2025-66628 ImageMagick: ImageMagick Integer Overflow leading to out of bounds read (32-bit only)

Bug 2421159 (CVE-2025-66628) - CVE-2025-66628 ImageMagick: ImageMagick Integer Overflow leading to out of bounds read (32-bit only)

Summary: CVE-2025-66628 ImageMagick: ImageMagick Integer Overflow leading to out of bo...

Keywords:
Status:	NEW
Alias:	CVE-2025-66628
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2421162 2421164 2421166 2421167 2421168
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-10 23:01 UTC by OSIDB Bzimport
Modified:	2025-12-10 23:15 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-10 23:01:50 UTC

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10.

Note You need to log in before you can comment on or make changes to this bug.