CVE-2025-66628
HIGH7.5EPSS 0.05%ImageMagick is vulnerable to an integer Overflow in TIM decoder leading to out of bounds read (32-bit only)
Description
### Summary The TIM (PSX TIM) image parser in ImageMagick contains a critical integer overflow vulnerability in the `ReadTIMImage` function (`coders/tim.c`). The code reads `width` and `height` (16-bit values) from the file header and calculates `image_size = 2 * width * height` without checking for overflow. On 32-bit systems (or where `size_t` is 32-bit), this calculation can overflow if `width` and `height` are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via `AcquireQuantumMemory` and later operations relying on the dimensions can trigger an out of bounds read. ### Vulnerable Code File: `coders/tim.c` ```c width=ReadBlobLSBShort(image); height=ReadBlobLSBShort(image); image_size=2*width*height; // Line 234 - NO OVERFLOW CHECK! ``` ### Impact This vulnerability can lead to Arbitrary Memory Disclosure due to an out of bounds read on 32-bit systems.
Affected packages (7)
- Debian/imagemagickfrom 0, < 8:6.9.11.60+dfsg-1.3+deb11u8
- NuGet/Magick.NET-Q16-AnyCPUfrom 0, < 14.10.0
- NuGet/Magick.NET-Q16-HDRI-AnyCPUfrom 0, < 14.10.0
- NuGet/Magick.NET-Q16-HDRI-x86from 0, < 14.10.0
- NuGet/Magick.NET-Q16-x86from 0, < 14.10.0
- NuGet/Magick.NET-Q8-AnyCPUfrom 0, < 14.10.0
- NuGet/Magick.NET-Q8-x86from 0, < 14.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |