#765 CVE-2026-30883

[Petr Gajdos]

This bug is meant for discussion whether GraphicsMagick is affected by this CVE. Looking at png.c, there is:

 description_length=(png_uint_32) strlen((const char *) profile_description);
  allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20

                                  + description_length);
#if PNG_LIBPNG_VER >= 14000
   text[0].text=(png_charp) png_malloc(ping,
      (png_alloc_size_t) allocated_length);

If the length is not checked beforehand (failed to find such check), I guess it could be checked here so allocated_length calculation cannot overflow.

[Bob Friesenhahn]

This seems to be in png_write_raw_profile(). I wish my attention was not drawn to this function since it appears that at least 50% of the lines of code in its implementation introduce their own bug.

The description of the CVE says that it is provoked by an "extremely large profile", which suggests that operations based on 'length' may over/underflow. It seems difficult for an attacker to provide an "extremely large profile" unless it is from a file format where the profile may be stored compressed, or due to some other bug.

[Bob Friesenhahn]

Mercurial changeset 18009:a0855348fb11 "coders/png.c (png_write_raw_profile): Detect and report an excessively large profile, and other unexpected conditions.", should address this issue, and a few others.

[Petr Gajdos]

Thanks for both fixes (including the grammar one ;)).

[Bob Friesenhahn]

Petr, much thanks for bringing ImageMagick CVE issues which also apply to GraphicsMagick to my attention.