ghsa-6hgw-6x87-578x
Vulnerability from github
Summary
- Target: ImageMagick (commit
ecc9a5eb456747374bae8e07038ba10b3d8821b3) - Type: Undefined Behavior (function-type-mismatch) in splay tree cloning callback
- Impact: Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact.
- Trigger: Minimal 2-byte input parsed via MagickWand, then coalescing.
Environment
OS: macOS (Apple Silicon/arm64)
Homebrew clang version 20.1.8
Target: arm64-apple-darwin24.5.0
Thread model: posix
InstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin
Configuration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg
Homebrew ImageMagick: magick -version → ImageMagick 7.1.2-0 Q16-HDRI aarch64
pkg-config: MagickWand-7.Q16HDRI version 7.1.2
Library configure flags (capsule build):
./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --without-xml --without-lqr --without-gslib
Harness compile flags:
-fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer
pkg-config cflags/libs supplied:
-I<...>/include/ImageMagick-7
-DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_CHANNEL_MASK_DEPTH=32
and linked against MagickWand-7.Q16HDRI and MagickCore-7.Q16HDRI
Sanitizer runtime:
ASan+UBSan defaults. Repro also with UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
PoC
- Bytes (hex):
1c 02 - Base64:
HAI= - sha256 (optional):
Reproduction
Create PoC:
printf '\x1c\x02' > poc.bin
Option A: libFuzzer harness
- Run once: ./harness_ImageMagick_... -runs=1 ./poc.bin
- Expected: UBSan aborts with function-type-mismatch at MagickCore/splay-tree.c:372:43.
Option B: standalone reproducer (C)
- Compile (ensure PKG_CONFIG_PATH points to your ImageMagick if needed):
/opt/homebrew/opt/llvm/bin/clang -g -O1 -fsanitize=address,undefined $(/opt/homebrew/bin/pkg-config --cflags MagickWand-7.Q16HDRI) repro.c -o repro $(/opt/homebrew/bin/pkg-config --libs MagickWand-7.Q16HDRI)
- Run:
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 ./repro ./poc.bin Observed output (excerpt) MagickCore/splay-tree.c:372:43: runtime error: call to function ConstantString through pointer to incorrect function type 'void ()(void *)' string.c:680: note: ConstantString defined here
0 CloneSplayTree splay-tree.c:372
1 CloneImageProfiles profile.c:159
2 CloneImage image.c:832
3 CoalesceImages layer.c:269
4 MagickCoalesceImages magick-image.c:1665
5 main repro.c:XX
Root cause
The splay tree clone callback expects a function pointer of type void *(*)(void *). ConstantString has a different signature (char *ConstantString(const char *)). Calling through the mismatched function type is undefined behavior in C and triggers UBSan’s function-type-mismatch.
The path is exercised during coalescing: CloneImage → CloneImageProfiles → CloneSplayTree.
Scope
Reproduces with a minimal, sanitizer-instrumented, PNG-enabled build and delegates disabled (policy.xml), suggesting the issue is in MagickCore rather than external delegates.
Suggested fix (sketch)
Use a wrapper that matches the expected callback prototype, or adjust the splay-tree callback typedef for const-correctness. For example:
static void CloneStringShim(const void p) {
return (void ) ConstantString((const char ) p);
}
/ When setting splay-tree clone_value, use CloneStringShim instead of ConstantString. /
Alternatively, update the clone callback typedefs to use const void consistently (and return void) and ensure callers pass a correctly typed wrapper.
Artifacts
Minimised PoC: attached (poc.bin, 2 bytes; base64 HAI=)
Harness source and exact build command (attached)
Full UBSan trace (attached)
Commit SHA and configure flags (above)
Credits
Discovered by: Lumina Mescuwa
Method: libFuzzer + UBSan
Verification
- UBSan build: Reproduces with halt_on_error=1; aborts at MagickCore/splay-tree.c:372.
- Non-sanitized Homebrew build (macOS arm64, clang 20.1.8): No crash; repro completes silently.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55160"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T16:23:51Z",
"nvd_published_at": "2025-08-13T14:15:33Z",
"severity": "MODERATE"
},
"details": "## Summary\n- **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`)\n- **Type:** Undefined Behavior (function-type-mismatch) in splay tree cloning callback\n- **Impact:** Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact.\n- **Trigger:** Minimal **2-byte** input parsed via MagickWand, then coalescing.\n## Environment\nOS: macOS (Apple Silicon/arm64)\nHomebrew clang version 20.1.8\nTarget: arm64-apple-darwin24.5.0\nThread model: posix\nInstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin\nConfiguration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg\nHomebrew ImageMagick: `magick -version` \u2192 `ImageMagick 7.1.2-0 Q16-HDRI aarch64`\npkg-config: `MagickWand-7.Q16HDRI` version `7.1.2`\nLibrary configure flags (capsule build):\n./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --without-xml --without-lqr --without-gslib\nHarness compile flags:\n-fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer\npkg-config cflags/libs supplied:\n-I\u003c...\u003e/include/ImageMagick-7\n-DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_CHANNEL_MASK_DEPTH=32\nand linked against MagickWand-7.Q16HDRI and MagickCore-7.Q16HDRI\nSanitizer runtime:\nASan+UBSan defaults. Repro also with `UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1`\n## PoC\n- **Bytes (hex):** `1c 02`\n- **Base64:** `HAI=`\n - **sha256 (optional):** \u003cfill in\u003e\n## Reproduction\nCreate PoC:\n\n`printf \u0027\\x1c\\x02\u0027 \u003e poc.bin`\n\nOption A: libFuzzer harness\n- Run once: `./harness_ImageMagick_... -runs=1 ./poc.bin`\n- Expected: UBSan aborts with function-type-mismatch at `MagickCore/splay-tree.c:372:43`.\n\nOption B: standalone reproducer (C)\n- Compile (ensure `PKG_CONFIG_PATH` points to your ImageMagick if needed):\n\n/opt/homebrew/opt/llvm/bin/clang -g -O1 -fsanitize=address,undefined $(/opt/homebrew/bin/pkg-config --cflags MagickWand-7.Q16HDRI) repro.c -o repro $(/opt/homebrew/bin/pkg-config --libs MagickWand-7.Q16HDRI)\n\n- Run:\n\nUBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 ./repro ./poc.bin\nObserved output (excerpt)\nMagickCore/splay-tree.c:372:43: runtime error: call to function ConstantString through pointer to incorrect function type \u0027void *(*)(void *)\u0027\nstring.c:680: note: ConstantString defined here\n#0 CloneSplayTree splay-tree.c:372\n#1 CloneImageProfiles profile.c:159\n#2 CloneImage image.c:832\n#3 CoalesceImages layer.c:269\n#4 MagickCoalesceImages magick-image.c:1665\n#5 main repro.c:XX\nRoot cause\nThe splay tree clone callback expects a function pointer of type `void *(*)(void *)`. ConstantString has a different signature (`char *ConstantString(const char *)`). Calling through the mismatched function type is undefined behavior in C and triggers UBSan\u2019s function-type-mismatch.\nThe path is exercised during coalescing: CloneImage \u2192 CloneImageProfiles \u2192 CloneSplayTree.\nScope\nReproduces with a minimal, sanitizer-instrumented, PNG-enabled build and delegates disabled (policy.xml), suggesting the issue is in MagickCore rather than external delegates.\nSuggested fix (sketch)\nUse a wrapper that matches the expected callback prototype, or adjust the splay-tree callback typedef for const-correctness. For example:\nstatic void *CloneStringShim(const void *p) {\nreturn (void *) ConstantString((const char *) p);\n}\n\n/* When setting splay-tree clone_value, use CloneStringShim instead of ConstantString. */\n\nAlternatively, update the clone callback typedefs to use const void* consistently (and return void*) and ensure callers pass a correctly typed wrapper.\n\nArtifacts\nMinimised PoC: attached (poc.bin, 2 bytes; base64 HAI=)\nHarness source and exact build command (attached)\nFull UBSan trace (attached)\nCommit SHA and configure flags (above)\nCredits\nDiscovered by: Lumina Mescuwa\nMethod: libFuzzer + UBSan\nVerification\n- UBSan build: Reproduces with `halt_on_error=1`; aborts at `MagickCore/splay-tree.c:372`.\n- Non-sanitized Homebrew build (macOS arm64, clang 20.1.8): No crash; repro completes silently.",
"id": "GHSA-6hgw-6x87-578x",
"modified": "2025-08-25T16:23:52Z",
"published": "2025-08-25T16:23:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55160"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.