Intel

AIKIDO-2026-87591

rmagick is vulnerable to Heap-based Buffer Overflow

Heap-based Buffer Overflow Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

65

Medium Risk

This Affects:

RUBYrmagick
1.7.1 - 7.0.4
Fixed in 7.0.5
Are you affected? Scan for Free

TL;DR

rmagick is a Ruby binding for ImageMagick whose C extension sizes and dereferences native buffers without validating caller input. Image#dispatch, Image#export_pixels, and Image#export_pixels_to_str compute a pixel buffer size as columns times rows times channels in unsigned arithmetic with no overflow check, so large dimensions wrap the product and allocate an undersized buffer that ImageMagick then overruns, corrupting the heap. Related methods crash the process when a Draw object is used before initialization, when Draw#primitive receives a non-string argument, or when Image, Pixel, or Draw marshal loading receives a non-collection payload from untrusted marshaled data. The fix adds an overflow check on the buffer size computation plus type and initialization guards so these cases raise Ruby exceptions instead of performing unsafe native memory access.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted dimensions, argument types, or marshaled data into the affected rmagick methods.

Background info

rmagick is vulnerable to Heap-based Buffer Overflow in versions 1.7.1 - 7.0.4.

How to fix this

Upgrade the rmagick library to the patch version.