logo

Database

Inappropriate coding practices In magick.net-q8-anycpu

Description

ImageMagick has XMP profile write that triggers hang due to unbounded loop

Summary

Infinite lines occur when writing during a specific XMP file conversion command

Details

#0  GetXmpNumeratorAndDenominator (denominator=<optimized out>, numerator=<optimized out>, value=<optimized out>) at MagickCore/profile.c:2578
#1  GetXmpNumeratorAndDenominator (denominator=<synthetic pointer>, numerator=<synthetic pointer>, value=720000000000000) at MagickCore/profile.c:2564
#2  SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605
#3  0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651
#4  0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288
#5  0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=<optimized out>, images@entry=0x555555bb9ea0, filename=<optimized out>, exception=0x555555b7bea0) at MagickCore/constitute.c:1575
#6  0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write", arg1n=arg1n@entry=0x7fffffffe2c7 "a.mng", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993
#7  0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write") at MagickWand/operation.c:5473...
static void GetXmpNumeratorAndDenominator(double value,
  unsigned long *numerator,unsigned long *denominator)
{
  double
    df;

  *numerator=0;
  *denominator=1;...

In this code, the loop while(fabs(df - value) > MagickEpsilon) keeps repeating endlessly.

PoC

magick hang a.mng https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing

Impact

XMP profile write triggers hang due to unbounded loop

credits

Team Pay1oad DVE

Reporter : Shinyoung Won (with contributions from WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae, Kyusang Han, JaeHun Gou)

yosimich(@yosiimich) Shinyoung Won of SSA Lab

e-mail : [[email protected]]

Woojin Jeon

Gtihub : brainoverflow

e-mail : [[email protected]]

WooJin Park

GitHub : jin-156

e-mail : [[email protected]]

Who4mI(@GAP-dev) Lee DongHa of SSA Lab

Github: GAP-dev

e-mail : [[email protected]]

JungWoo Park

Github : JungWooJJING

e-mail : [[email protected]]

Juwon Chae

Github : I_mho

e-mail : [[email protected]]

Kyusang Han

Github : T1deSEC

e-mail : [[email protected]]

JaeHun Gou

Github : P2GONE

e-mail : [[email protected]]

Commits

Fixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 23

10

Aliases

1. CVE-2025-530152. NVD-2025-530153. OSV-2025-530154. OSV-DEBIAN-2025-530155. GHSA-vmhh-8rxq-fp9g6. GCVE-2025-530157. SECURITY-TRACKER-CVE-2025-53015

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g2. https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a03. https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe264. https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing5. https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.