Description
ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. An attacker can supply a crafted image that causes ImageMagick to allocate more memory than permitted by the configured policy, resulting in a denial of service.
Problem types
Allocation of Resources Without Limits or Throttling
Product status
Any version before 7.1.2-26
7.1.2-26 (semver)
Any version before 6.9.13-51
6.9.13-51 (semver)
Credits
rexpository
References
github.com/...Magick/security/advisories/GHSA-rvhp-75f6-9jqh (GitHub Security Advisory (GHSA-rvhp-75f6-9jqh))
www.vulncheck.com/...fore-26-memory-allocation-policy-bypass (VulnCheck Advisory: ImageMagick before 7.1.2-26 Memory Allocation Policy Bypass)