File ImageMagick-CVE-2025-55154.patch of Package ImageMagick.40311
Index: ImageMagick-6.8.8-1/coders/png.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/png.c
+++ ImageMagick-6.8.8-1/coders/png.c
@@ -6582,8 +6582,14 @@ static Image *ReadOneMNGImage(MngInfo* m
magnified_width += mng_info->magn_mr;
if (image->columns > 2)
- magnified_width += (png_uint_32)
- ((image->columns-2)*(mng_info->magn_mx));
+ {
+ if ((size_t)UINT32_MAX/(image->columns-2) > (size_t)(mng_info->magn_mx))
+ ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed");
+ if ((size_t)UINT32_MAX - ((image->columns-2)*(size_t)(mng_info->magn_mx)) < (size_t)magnified_width)
+ ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed");
+ magnified_width += (png_uint_32)
+ ((image->columns-2)*(mng_info->magn_mx));
+ }
}
else
@@ -6597,8 +6603,15 @@ static Image *ReadOneMNGImage(MngInfo* m
magnified_width += mng_info->magn_mr-1;
if (image->columns > 3)
- magnified_width += (png_uint_32)
- ((image->columns-3)*(mng_info->magn_mx-1));
+ {
+ if ((size_t)UINT32_MAX/(image->columns-3) > (size_t)(mng_info->magn_mx-1))
+ ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed");
+ if ((size_t)UINT32_MAX - ((image->columns-3)*(size_t)(mng_info->magn_mx-1)) < (size_t)magnified_width)
+ ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed");
+
+ magnified_width += (png_uint_32)
+ ((image->columns-3)*(mng_info->magn_mx-1));
+ }
}
if (mng_info->magn_methy == 1)
