Fedora Account System
Red Hat Associate
Red Hat Customer
GraphicsMagick's PCD decoder allocated the per-channel Huffman decode buffers at an exact fit (columns*rows + 1 byte) and advanced the write pointer in the decode loop with an unbounded "q++" and no per-write bound check. A crafted PCD file can drive the pointer past the end of the allocation, producing an attacker-controlled out-of-bounds write (and a preceding out-of-bounds read at the same site). This is the un-ported write-side half of ImageMagick's hardening for CVE-2026-26284: GraphicsMagick had ported ImageMagick's out-of-bounds READ fix (changeset 44292e321682) but not the per-write bound and buffer over-allocation, leaving the write path unguarded. The upstream fix over-provisions the decode buffers and adds an overflow-detection check before each write. Reachability: The sink is reached when decoding a PCD page/subimage index >= 4 (e.g. "PCD:file[4]") or with a "-size >= 1536x1024" read hint; a bare default decode does not reach it. PCD is content-detected by its magic, so the extension is not a barrier. Impact: The write is value- and offset-controlled. We demonstrated corruption of an adjacent heap allocation's allocator metadata leading to free() of an attacker-influenced pointer (ASLR-independent in our lab). Remote code execution was not demonstrated and is not claimed. Relationship to existing CVEs: Not a duplicate of CVE-2026-26284 (that is the out-of-bounds READ, which GraphicsMagick already ported). No existing GraphicsMagick CVE or advisory covers this PCD write path.