GraphicsMagick / Bugs / #764 CVE-2026-28690

Bob Friesenhahn - 2026-03-17

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2026-03-17

The JNG writer code does look pretty bad. It seems to be a prototype.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2026-03-18

I did a search and see that CVE-2026-28690 is about a MNG encoder stack buffer overflow rather than a use of a null pointer in the JNG encoder. The ImageMagick project may have made other fixes while claiming to address CVE-2026-28690. It would be useful to know the details about where this stack buffer overflow happens. Are you able to determine this?

I do recall solving several MNG stack overflow issues in the past.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eh yes, the main part of the patch seems to be in MNG code, or at least this CVE probably refers just to the last hunk, indeed. I was misled by the first two hunks, sorry for that.

I currently do not have any testcase, so this is just theoretical. Could it be that code may run out of space in chunk[] around Write MNG PLTE chunk?

      unsigned char
        chunk[800];
[...]
if (!need_local_plte && image->storage_class == PseudoClass
          && !all_images_are_gray)
        {
          unsigned long
            data_length;

         /*
           Write MNG PLTE chunk
         */
         data_length=3*image->colors;
         (void) WriteBlobMSBULong(image,data_length);
         PNGType(chunk,mng_PLTE);
         LogPNGChunk(logging,mng_PLTE,data_length);

         for (i=0; i < (ssize_t) image->colors; i++)
         {
           chunk[4+i*3]=(unsigned char) (ScaleQuantumToChar(
             (Quantum) image->colormap[i].red) & 0xff);

There's very little information around these CVEs, unfortunately, but I can try to get more, if needed.

Bob Friesenhahn - 2026-03-19

If CVEs provided adequate and complete descriptions of an issue, then the information could be used to immediately attack existing code. So they use vague obtuse descriptions which mean almost nothing.

Based on the last part of the ImageMagick edits, there may have been an overflow of the image colormap.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2026-03-19

Change set 18010:967c71e2b740 provides necessary error handling for ImageToBlob(), as well as to assure that no more than 256 colors will be supplied to the MNG PLTE chunk.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2026-03-19

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Petr Gajdos - 2026-03-20

Thanks!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

CVE-2026-28690

Swiss army knife of image processing

Group

Searches

Help

#764 CVE-2026-28690

Discussion