Skip to content

ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash

Low severity GitHub Reviewed Published Aug 26, 2025 in ImageMagick/ImageMagick • Updated Aug 26, 2025

Package

nuget Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.8.1

Patched versions

14.8.1
nuget Magick.NET-Q16-HDRI-AnyCPU (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-HDRI-OpenMP-x64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-HDRI-arm64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-HDRI-x64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-HDRI-x86 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-OpenMP-arm64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-OpenMP-x64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-arm64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-x64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q16-x86 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q8-AnyCPU (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q8-OpenMP-arm64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q8-OpenMP-x64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q8-arm64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q8-x64 (NuGet)
< 14.8.1
14.8.1
nuget Magick.NET-Q8-x86 (NuGet)
< 14.8.1
14.8.1

Description

Summary

Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.

Details

Root Cause

  1. montage -geometry ":" ... reaches MagickCore/geometry.c:GetGeometry().
  2. StringToDouble/InterpretLocaleValue parses ":" as 0.0; then:
    https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
    WidthValue (and/or HeightValue) is set with a zero dimension.
  3. In MagickCore/resize.c:ThumbnailImage(), the code computes:
    https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
    causing a division by zero and immediate crash.

The issue is trivially triggerable without external input files (e.g., using xc:white).

Reproduction

Environment

Version: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org
Features: Cipher DPC HDRI
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib
Compiler: clang (14.0.0)
OS/Arch: Linux x86_64

Steps

./bin/magick montage -geometry : xc:white null:

Observed result

IOT instruction (core dumped)
# (Environment-dependent: SIGFPE/abort may be observed.)

PoC

No external file required; the pseudo image xc:white suffices:

./bin/magick montage -geometry : xc:white null:

Impact

  • Denial of Service: A divide-by-zero in ThumbnailImage() causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.

Suggested fix

Defensively reject zero dimensions early in ThumbnailImage():

if ((columns == 0) || (rows == 0)) {
  (void) ThrowMagickException(exception, GetMagickModule(), OptionError,
    "InvalidGeometry", "thumbnail requires non-zero dimensions: %.20gx%.20g",
    (double) columns, (double) rows);
  return (Image *) NULL;
}

Additionally, consider tightening validation in GetGeometry() so that colon-only (and similar malformed) inputs do not yield WidthValue/HeightValue with zero, or are rejected outright. Variants like "x:" or ":x" may also need explicit handling (maintainer confirmation requested).

Credits

Team Daemon Fuzz Hunters

Bug Hunting Master Program, HSpace/Findthegap

Woojin Park
@jin-156
[email protected]

Hojun Lee
@leehohojune
[email protected]

Youngin Won
@amethyst0225
[email protected]

Siyeon Han
@hanbunny
[email protected]

References

@dlemstra dlemstra published to ImageMagick/ImageMagick Aug 26, 2025
Published to the GitHub Advisory Database Aug 26, 2025
Reviewed Aug 26, 2025
Published by the National Vulnerability Database Aug 26, 2025
Last updated Aug 26, 2025

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(19th percentile)

Weaknesses

Divide By Zero

The product divides a value by zero. Learn more on MITRE.

CVE ID

CVE-2025-55212

GHSA ID

GHSA-fh55-q5pj-pxgw

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.