CVE-2014-8355: ImageMagick - Out-of-bounds read / heap overflow in PCX parser

ImageMagick is vulnerable to an out of bounds read / heap Overflow in the function ReadPCXImage in the file pcx.c. GraphicsMagick, which is a fork of ImageMagick, is also affected.
The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf.


ImageMagick has released the fixed version 6.8.9-9 (also including fixes for other out of bounds issues).
GraphicsMagick has fixed the issue in its repository, no release yet.


2014-10-21: Discovery, informed both ImageMagick and GraphicsMagick developers
2014-10-23: Patch in ImageMagick SVN
2014-10-25: ImageMagick released 6.8.9-9 with fix
2014-10-26: Patch in GraphicsMagick Mercurial


Patch / upstream commit ImageMagick
ImageMagick Changelog
Patch / upstream commit Graphicsmagick
Fuzzing sample (try with convert or identify)

Hanno Böck, 2014-11-01