GHSA-fh55-q5pj-pxgw: ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-55212

ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry “:” leads to crash

Low severity GitHub Reviewed Published Aug 26, 2025 in ImageMagick/ImageMagick • Updated Aug 26, 2025

Package

nuget Magick.NET-Q16-AnyCPU (NuGet)

Affected versions

< 14.8.1

nuget Magick.NET-Q16-HDRI-AnyCPU (NuGet)

nuget Magick.NET-Q16-HDRI-OpenMP-arm64 (NuGet)

nuget Magick.NET-Q16-HDRI-OpenMP-x64 (NuGet)

nuget Magick.NET-Q16-HDRI-arm64 (NuGet)

nuget Magick.NET-Q16-HDRI-x64 (NuGet)

nuget Magick.NET-Q16-HDRI-x86 (NuGet)

nuget Magick.NET-Q16-OpenMP-arm64 (NuGet)

nuget Magick.NET-Q16-OpenMP-x64 (NuGet)

nuget Magick.NET-Q16-arm64 (NuGet)

nuget Magick.NET-Q16-x64 (NuGet)

nuget Magick.NET-Q16-x86 (NuGet)

nuget Magick.NET-Q8-AnyCPU (NuGet)

nuget Magick.NET-Q8-OpenMP-arm64 (NuGet)

nuget Magick.NET-Q8-OpenMP-x64 (NuGet)

nuget Magick.NET-Q8-arm64 (NuGet)

nuget Magick.NET-Q8-x64 (NuGet)

nuget Magick.NET-Q8-x86 (NuGet)

Summary

Passing a geometry string containing only a colon (“:”) to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.

Details

Root Cause

1. montage -geometry “:” … reaches MagickCore/geometry.c:GetGeometry().
2. StringToDouble/InterpretLocaleValue parses “:” as 0.0; then:
   https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
   WidthValue (and/or HeightValue) is set with a zero dimension.
3. In MagickCore/resize.c:ThumbnailImage(), the code computes:
   https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
   causing a division by zero and immediate crash.

The issue is trivially triggerable without external input files (e.g., using xc:white).

Reproduction

Environment

Version: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org
Features: Cipher DPC HDRI
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib
Compiler: clang (14.0.0)
OS/Arch: Linux x86_64

Steps

./bin/magick montage -geometry : xc:white null:

Observed result

IOT instruction (core dumped)
# (Environment-dependent: SIGFPE/abort may be observed.)

PoC

No external file required; the pseudo image xc:white suffices:

./bin/magick montage -geometry : xc:white null:

Impact

• Denial of Service: A divide-by-zero in ThumbnailImage() causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.

Suggested fix

Defensively reject zero dimensions early in ThumbnailImage():

if ((columns == 0) || (rows == 0)) { (void) ThrowMagickException(exception, GetMagickModule(), OptionError, "InvalidGeometry", "thumbnail requires non-zero dimensions: %.20gx%.20g", (double) columns, (double) rows); return (Image *) NULL; }

Additionally, consider tightening validation in GetGeometry() so that colon-only (and similar malformed) inputs do not yield WidthValue/HeightValue with zero, or are rejected outright. Variants like “x:” or “:x” may also need explicit handling (maintainer confirmation requested).

Credits****Team Daemon Fuzz Hunters

Bug Hunting Master Program, HSpace/Findthegap

Woojin Park
@jin-156
1203kids@gmail.com

Hojun Lee
@leehohojune
leehojune@korea.ac.kr

Youngin Won
@amethyst0225
youngin04@korea.ac.kr

Siyeon Han
@hanbunny
kokosyeon@gmail.com

References

• GHSA-fh55-q5pj-pxgw
• ImageMagick/ImageMagick@5f0bcf9
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1

Published to the GitHub Advisory Database

Aug 26, 2025

Last updated

Aug 26, 2025