Security Advisories (4)
CVE-2024-53901 (2024-11-17)

"invalid next size" backtrace on use of trim on certain images

CVE-2026-8669 (2026-05-15)

Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file. The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.

CVE-2026-13705 (2026-07-06)

Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle. read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte. Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.

CVE-2026-14454 (2026-07-08)

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.

NAME

Imager::Expr::Assem - an assembler for producing code for the Imager
register machine

SYNOPSIS

use Imager::Expr::Assem;
my $expr = Imager::Expr->new(assem=>'...', ...)

DESCRIPTION

This module is a simple Imager::Expr compiler that compiles a low-level language that has a nearly 1-to-1 relationship to the internal representation used for compiled register machine code.

Syntax

Each line can contain multiple statements separated by semi-colons.

Anything after '#' in a line is ignored.

Types of statements:

variable definition

var name:type

defines variable name to have type, which can be any of n or num for a numeric type or pixel, p or c for a pixel or color type.

Variable names cannot include white-space.

operators

Operators can be split into 3 basic types, those that have a result value, those that don't and the null operator, eg. jump has no value.

The format for operators that return a value is typically:

result = operator operand ...

and for those that don't return a value:

operator operand

where operator is any valid register machine operator, result is any variable defined with var, and operands are variables, constants or literals, or for jump operators, labels.

The set operator can be simplified to:

result = operator

All operators maybe preceded by a label, which is any non-white-space text immediately followed by a colon (':').

BUGS

Note that the current optimizer may produce incorrect optimization for your code, fortunately the optimizer will disable itself if you include any jump operator in your code. A single jump to anywhere after your final ret operator can be used to disable the optimizer without slowing down your code.

There's currently no high-level code generation that can generate code with loops or real conditions.

SEE ALSO

Imager(3), transform.perl, regmach.c

AUTHOR

Tony Cook <tony@develop-help.com>