Overview

File ImageMagick-CVE-2025-57803.patch of Package ImageMagick.40311

From e49c68c88eed6e68145480a471650daa9ed87217 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 23 Aug 2025 09:16:48 -0400
Subject: [PATCH] 
 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm

---
 coders/bmp.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

Index: ImageMagick-6.8.8-1/coders/bmp.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/bmp.c
+++ ImageMagick-6.8.8-1/coders/bmp.c
@@ -498,6 +498,11 @@ static MagickBooleanType IsBMP(const uns
 %
 */
 
+static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
+{
+  return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
+}
+
 static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   BMPInfo
@@ -536,6 +541,7 @@ static Image *ReadBMPImage(const ImageIn
     bit,
     blue,
     bytes_per_line,
+    extent,
     green,
     length,
     opacity,
@@ -947,12 +953,18 @@ static Image *ReadBMPImage(const ImageIn
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if (bmp_info.compression == BI_RLE4)
       bmp_info.bits_per_pixel<<=1;
-    bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
-    length=(size_t) bytes_per_line*image->rows;
+    extent=image->columns*bmp_info.bits_per_pixel;
+    bytes_per_line=4*((extent+31)/32);
+    if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+    length=bytes_per_line*image->rows;
     if (length > GetBlobSize(image))
       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
-    pixel_info=AcquireVirtualMemory((size_t) image->rows,
-      MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+    extent=MagickMax(bytes_per_line,image->columns+256UL);
+    if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
+        (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
+      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+    pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
     if (pixel_info == (MemoryInfo *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
openSUSE Build Service is sponsored by
Places