File ImageMagick-CVE-2026-23876.patch of Package ImageMagick.42534

From 536512a2c60cd6e8c21c1256c2ee4da48d903e0c Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sun, 18 Jan 2026 18:26:36 +0100
Subject: [PATCH] Added overflow checks to prevent an out of bounds write

---
 coders/xbm.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

Index: ImageMagick-6.8.8-1/coders/xbm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/xbm.c
+++ ImageMagick-6.8.8-1/coders/xbm.c
@@ -167,6 +167,25 @@ static int XBMInteger(Image *image,short
   return((int) value);
 }
 
+static inline MagickBooleanType HeapOverflowSanityCheckGetSize(
+  const size_t count,const size_t quantum,size_t *const extent)
+{
+  size_t
+    length;
+
+  if ((count == 0) || (quantum == 0))
+    return(MagickTrue);
+  length=count*quantum;
+  if (quantum != (length/count))
+    {
+      errno=ENOMEM;
+      return(MagickTrue);
+    }
+  assert(extent != NULL);
+  *extent=length;
+  return(MagickFalse);
+}
+
 static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   char
@@ -341,14 +360,14 @@ static Image *ReadXBMImage(const ImageIn
       (version == 10))
     padding=1;
   bytes_per_line=(image->columns+7)/8+padding;
-  length=(size_t) image->rows;
-  data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
-    sizeof(*data));
+  if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,&length) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  data=(unsigned char *) AcquireQuantumMemory(length,sizeof(*data));
   if (data == (unsigned char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   p=data;
   if (version == 10)
-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
+    for (i=0; i < (ssize_t) length; (i+=2))
     {
       c=XBMInteger(image,hex_digits);
       if (c < 0)
@@ -361,7 +380,7 @@ static Image *ReadXBMImage(const ImageIn
         *p++=(unsigned char) (c >> 8);
     }
   else
-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
+    for (i=0; i < (ssize_t) length; i++)
     {
       c=XBMInteger(image,hex_digits);
       if (c < 0)