logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-55212 magick.net-q16-hdri-openmp-x64

Package

Manager: nuget
Name: magick.net-q16-hdri-openmp-x64
Vulnerable Version: >=0 <14.8.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0006 pctl0.18963

Details

ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash ## Summary Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. ## Details **Root Cause** 1. `montage -geometry ":" ...` reaches `MagickCore/geometry.c:GetGeometry().` 2. `StringToDouble/InterpretLocaleValue` parses `":"` as `0.0;` then: https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355 `WidthValue` (and/or `HeightValue)` is set with a zero dimension. 3. In MagickCore/resize.c:ThumbnailImage(), the code computes: https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629 causing a division by zero and immediate crash. The issue is trivially triggerable without external input files (e.g., using `xc:white`). ### Reproduction Environment ``` Version: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org Features: Cipher DPC HDRI Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib Compiler: clang (14.0.0) OS/Arch: Linux x86_64 ``` Steps ``` ./bin/magick montage -geometry : xc:white null: ``` Observed result ``` IOT instruction (core dumped) # (Environment-dependent: SIGFPE/abort may be observed.) ``` ## PoC No external file required; the pseudo image xc:white suffices: ``` ./bin/magick montage -geometry : xc:white null: ``` ## Impact - **Denial of Service:** A divide-by-zero in `ThumbnailImage()` causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process. ## Suggested fix Defensively reject zero dimensions early in `ThumbnailImage()`: ```c if ((columns == 0) || (rows == 0)) { (void) ThrowMagickException(exception, GetMagickModule(), OptionError, "InvalidGeometry", "thumbnail requires non-zero dimensions: %.20gx%.20g", (double) columns, (double) rows); return (Image *) NULL; } ``` Additionally, consider tightening validation in `GetGeometry()` so that colon-only (and similar malformed) inputs do not yield `WidthValue/HeightValue` with zero, or are rejected outright. Variants like `"x:"` or `":x"` may also need explicit handling (maintainer confirmation requested). ## Credits ### Team Daemon Fuzz Hunters **Bug Hunting Master Program, HSpace/Findthegap** <br> **Woojin Park** @jin-156 [1203kids@gmail.com](mailto:1203kids@gmail.com) **Hojun Lee** @leehohojune [leehojune@korea.ac.kr](mailto:leehojune@korea.ac.kr) **Youngin Won** @amethyst0225 [youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr) **Siyeon Han** @hanbunny [kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)

Metadata

Created: 2025-08-26T15:27:25Z
Modified: 2025-08-26T20:44:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-fh55-q5pj-pxgw/GHSA-fh55-q5pj-pxgw.json
CWE IDs: ["CWE-369"]
Alternative ID: GHSA-fh55-q5pj-pxgw
Finding: F020
Auto approve: 1