Activity for GraphicsMagick
-
Christian Schmitz created ticket #768
CMYK JPEG written out as RGB
-
osdj modified a comment on ticket #767
Thank you for your quick response, Bob. You are correct about the version discrepancy — my analysis was based on the GitHub mirror (github.com/GraphicsMagick/GraphicsMagick), which shows libtiff 4.0.3. I should have verified against the official Mercurial source. I've now checked the timeline: CVE-2024-7006 was published 2024-08-12 libtiff 4.7.0 (released 2024-09-11) includes the fix libtiff 4.5.1 (released 2023-06-10) does NOT include the fix So the default/head branch (libtiff 4.7.1) should be...
-
Thank you for your quick response, Bob. You are correct about the version discrepancy — my analysis was based on the GitHub mirror (github.com/GraphicsMagick/GraphicsMagick), which shows libtiff 4.0.3. I should have verified against the official Mercurial source. I've now checked the timeline: CVE-2024-7006 was published 2024-08-12 libtiff 4.7.0 (released 2024-09-11) includes the fix libtiff 4.5.1 (released 2023-06-10) does NOT include the fix So the default/head branch (libtiff 4.7.1) should be...
-
Bob Friesenhahn modified ticket #767
CVE-2024-7006: NULL pointer dereference in bundled libtiff (tif_dirread.c)
-
GraphicsMagick default/head provides source code for libtiff 4.7.1. The GraphicsMagick 1.3 branch (and release) is providing source code for libtiff 4.5.1 from 2023. How/where are you finding libtiff code from 2012? Regardless, even libtiff 4.7.1 (and the latest libtiff release) will be insufficient to correct all known security issues given the many security reports and fixes.
-
Owner is bfriesen(Bob Friesenhahn)
-
CVE-2024-7006: NULL pointer dereference in bundled libtiff (tif_dirread.c)
-
Bob Friesenhahn committed [e56bff] on Code
coders/heif.c (ReadHEIFImageFrame): Use planar mode for RGB(A) until interleaved mode is implemented.
-
GraphicsMagick released /graphicsmagick-snapshots/GraphicsMagick-1.4.020260407.tar.xz.asc
-
-
-
-
Bob Friesenhahn committed [ed66f0] on Code
coders/mat.c: Wrap conditional code to make it easier to follow.
-
Bob Friesenhahn committed [655534] on Code
coders/mat.c (ReadMATImage): Make sure that 'image2' gets freed.
-
Bob Friesenhahn committed [c93710] on Code
coders/heif.c (ReadHEIFImageFrame): Separate getting the sample from scaling the sample.
-
Bob Friesenhahn committed [b55c42] on Code
coders/heif.c (ReadHEIFImageFrame): Scale each channel based on the value reported by heif_image_get_bits_per_pixel_range() for the channel. Support channel_bits_per_pixel_range() values up to 32 in case libheif produces such values.
-
-
-
-
-
Bob Friesenhahn committed [7ecf79] on Code
magick/render.c (DrawImage): All function returns past "begin draw-image" pass through "end draw-image" for assured resource clean-up.
-
-
-
-
-
Bob Friesenhahn committed [93e002] on Code
coders/ps3.c (WritePS3Image): Check that Postscript dimensions are within resource limits. Only enable for oss-fuzz at the moment.
-
Bob Friesenhahn committed [1a67e4] on Code
coders/ps2.c (WritePS2Image): Check that Postscript dimensions are within resource limits. Only enable for oss-fuzz at the moment.
-
Bob Friesenhahn committed [04ed8b] on Code
coders/ps.c (ReadPSImage, WritePSImage): Check that Postscript dimensions are within resource limits. Only enable for oss-fuzz at the moment.
-
Bob Friesenhahn committed [c7beec] on Code
fuzzing/utils.cc (LLVMFuzzerInitialize): Allow overriding the logging event mask using the MAGICK_DEBUG environment variable.
-
Bob Friesenhahn committed [7eaa95] on Code
magick/magick.c (InitializeMagickEx): Add more details in comments.
-
Bob Friesenhahn committed [5991c3] on Code
magick/render.c (DrawImage): Code formatting fix.
-
CVE-2026-33535
-
Record that this issue is fixed.
-
-
-
-
-
A fix for the buffer overflow issue is submitted by Mercurial changeset 18020:df03dfbf4d4b. Only up to 10 digits are collected at a time, and any failure to convert the digits to an integer resets back to the default state.
-
Bob Friesenhahn committed [df03df] on Code
magick/display.c (MagickXImageWindowCommand): Assure that the 'delta' buffer will not overflow if the user keeps a numeric key depressed.
-
Bob Friesenhahn committed [42ceda] on Code
fuzzing/oss-fuzz-build.sh (BUILD): Explicitly pass CXXFLAGS from build script to GraphicsMagick configure.
-
Bob Friesenhahn committed [6c21fd] on Code
fuzzing/README.txt: Add some notes about debugging issues.
-
It seems that the ImageMagick6 patch referred to is incomplete. The problem is not that 'delta' is too short, rather, the problem seems to be that a nul byte may be written beyond the boundary of 'delta', which is statically allocated. The current code has much more implementation such as to ignore requests which would overflow the boundary of 'delta'. This existing line of GraphicsMagick code is humorous: delta[strlen(delta)+1]='\0'; Ultimately, the goal is that the 'delta' string is turned into...
-
Petr Gajdos created ticket #766
CVE-2026-33535
-
Bob Friesenhahn committed [116455] on Code
fuzzing/utils.cc (LLVMFuzzerInitialize): Remove the MagickFuzzerConfirmAccess code which was added yesterday.
-
Bob Friesenhahn committed [d17a1a] on Code
fuzzing/oss-fuzz-build.sh: Add a tiny TTF corpus.
-
Bob Friesenhahn committed [957b1f] on Code
Magick++: Fix namespace issues related to MagickSetConfirmAccessHandler/MagickConfirmAccess.
-
Bob Friesenhahn committed [06f7e9] on Code
Magick++: Add Add access confirmation functions and enumerations to Magick++ namespace. Use them in zoom demo and oss-fuzz.
-
Bob Friesenhahn committed [4318c3] on Code
magick/annotate.c (RenderFreetype): Add more validations for draw_info->font. Use MagickConfirmAccess() to verify that font file name is allowed to be read.
-
-
-
-
-
Bob Friesenhahn committed [37277f] on Code
fuzzing/oss-fuzz-build.sh: Build Freetype after JXL. Use JXL build for Brotli dependency. Enable similar FreeType configure options as Freetype's own oss-fuzz build uses now.
-
-
-
-
-
Bob Friesenhahn committed [7cf4cb] on Code
magick/resource.c (resource_info): Minimum limit for 'files' limit must be 0.
-
Thanks!
-
CVE-2026-28690
-
Change set 18010:967c71e2b740 provides necessary error handling for ImageToBlob(), as well as to assure that no more than 256 colors will be supplied to the MNG PLTE chunk.
-
Bob Friesenhahn committed [967c71] on Code
coders/png.c Properly handle and report the case where ImageToBlob() returns NULL. MNG only supports a color palette up to 256 colors.
-
If CVEs provided adequate and complete descriptions of an issue, then the information could be used to immediately attack existing code. So they use vague obtuse descriptions which mean almost nothing. Based on the last part of the ImageMagick edits, there may have been an overflow of the image colormap.
-
Eh yes, the main part of the patch seems to be in MNG code, or at least this CVE probably refers just to the last hunk, indeed. I was misled by the first two hunks, sorry for that. I currently do not have any testcase, so this is just theoretical. Could it be that code may run out of space in chunk[] around Write MNG PLTE chunk? unsigned char chunk[800]; [...] if (!need_local_plte && image->storage_class == PseudoClass && !all_images_are_gray) { unsigned long data_length; /* Write MNG PLTE chunk...
-
I did a search and see that CVE-2026-28690 is about a MNG encoder stack buffer overflow rather than a use of a null pointer in the JNG encoder. The ImageMagick project may have made other fixes while claiming to address CVE-2026-28690. It would be useful to know the details about where this stack buffer overflow happens. Are you able to determine this? I do recall solving several MNG stack overflow issues in the past.
-
Petr, much thanks for bringing ImageMagick CVE issues which also apply to GraphicsMagick to my attention.
-
Thanks for both fixes (including the grammar one ;)).
-
Bob Friesenhahn committed [a08553] on Code
coders/png.c (png_write_raw_profile): Detect and report an excessively large profile, and other unexpected conditions.
-
CVE-2026-30883
-
Mercurial changeset 18009:a0855348fb11 "coders/png.c (png_write_raw_profile): Detect and report an excessively large profile, and other unexpected conditions.", should address this issue, and a few others.
-
CVE-2026-30883
-
This seems to be in png_write_raw_profile(). I wish my attention was not drawn to this function since it appears that at least 50% of the lines of code in its implementation introduce their own bug. The description of the CVE says that it is provoked by an "extremely large profile", which suggests that operations based on 'length' may over/underflow. It seems difficult for an attacker to provide an "extremely large profile" unless it is from a file format where the profile may be stored compressed,...
-
CVE-2026-28690
-
The JNG writer code does look pretty bad. It seems to be a prototype.
-
CVE-2026-30883
-
Bob Friesenhahn committed [53c86a] on Code
FormatString(): Fix the deprecation comment.
-
-
-
-
-
Bob Friesenhahn committed [85e447] on Code
Replace FormatString() with MagickFormatString() (or equivalent) everywhere.
-
CVE-2026-28690
-
-
-
-
-
CVE-2026-25799
-
This issue is addressed by Mercurial changeset 18005:85f3971e259d, which is included in the latest (1.4.020260306) source development snapshot. Much thanks to Petr, who tried extra hard to communicate about this issue with me.
-
Bob Friesenhahn committed [3fb69e] on Code
NEWS.txt: Update the news.
-
Bob Friesenhahn committed [85f397] on Code
coders/yuv.c (ReadYUVImage, WriteYUVImage): Address GraphicsMagick bug #763 "CVE-2026-25799".
-
CVE-2026-25799
-
Bob Friesenhahn committed [a4f11d] on Code
fuzzing/oss-fuzz-build.sh (BUILD): Change JBIG oss-fuzz timeout to 65, since that is apparently the maximum value that ClusterFuzz allows.
-
Bob Friesenhahn committed [51041b] on Code
coders/heif.c (HEIF_colorspace_to_string): Document that heif_colorspace_filter_array was added to development code.
-
-
-
-
-
Bob Friesenhahn committed [89b759] on Code
NEWS.txt: Update the news.
-
Bob Friesenhahn committed [3edecb] on Code
magick/paint.c (ColorFloodfillImage): Disable OpenMP since it was observed to create corrupt images, such as with the Magick++ shapes demo.
-
Bob Friesenhahn committed [f9628d] on Code
Magick++/lib/Image.cpp (Magick::Image::annotate): Follow DrawInfo normal allocation policies.
1 >
