Out-of-bounds Read

Summary

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In ImageMagick versions prior to 6.9.13-35 and 7.x prior to 7.1.2-9, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its "ReadTIMImage" function ("coders/tim.c"). The code reads width and height (16-bit values) from the file header and calculates "image_size = 2 * width * height" without checking for overflow. On 32-bit systems (or where "size_t" is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via "AcquireQuantumMemory" and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in versions 6.9.13-35 and 7.1.2-10. This issue also affects 32-bit builds of Magick.NET prior to 14.10.0.