#766 CVE-2026-33535

[Petr Gajdos]

I would like to discuss whether GraphicsMagick is affected by this minor issue.
Original advisory:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c
ImageMagick6 patch:
https://github.com/ImageMagick/ImageMagick6/commit/143f95c6e3fe53d5dd83ac0b036136cdf2a54ae0

Guessed problematic part in GraphicsMagick is at line 6433 of display.c.

[Bob Friesenhahn]

It seems that the ImageMagick6 patch referred to is incomplete. The problem is not that 'delta' is too short, rather, the problem seems to be that a nul byte may be written beyond the boundary of 'delta', which is statically allocated. The current code has much more implementation such as to ignore requests which would overflow the boundary of 'delta'.

This existing line of GraphicsMagick code is humorous:

delta[strlen(delta)+1]='\0';

Ultimately, the goal is that the 'delta' string is turned into an integer value (no more than 10 digits) so there is no value to collecting MaxTextExtent characters.

It is difficult to see how this issue is CVE-worthy given that the digits are entered into a GUI which is also capable of overwriting any file which is writable by the current user.

[Bob Friesenhahn]

A fix for the buffer overflow issue is submitted by Mercurial changeset 18020:df03dfbf4d4b. Only up to 10 digits are collected at a time, and any failure to convert the digits to an integer resets back to the default state.

[Bob Friesenhahn]

Record that this issue is fixed.