File ImageMagick-CVE-2025-66628.patch of Package ImageMagick.41991

From bdae0681ad1e572defe62df85834218f01e6d670 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 2 Dec 2025 22:49:12 +0100
Subject: [PATCH] Added extra check to avoid an overflow on 32-bit machines
 (GHSA-6hjr-v6g4-3fm8)

---
 coders/tim.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: ImageMagick-6.8.8-1/coders/tim.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/tim.c
+++ ImageMagick-6.8.8-1/coders/tim.c
@@ -59,6 +59,26 @@
 #include "magick/string_.h"
 #include "magick/module.h"
 
+
+static inline MagickBooleanType HeapOverflowSanityCheckGetSize(
+  const size_t count,const size_t quantum,size_t *const extent)
+{
+  size_t
+    length;
+
+  if ((count == 0) || (quantum == 0))
+    return(MagickTrue);
+  length=count*quantum;
+  if (quantum != (length/count))
+    {
+      errno=ENOMEM;
+      return(MagickTrue);
+    }
+  assert(extent != NULL);
+  *extent=length;
+  return(MagickFalse);
+}
+
 /*
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %                                                                             %
@@ -231,7 +251,8 @@ static Image *ReadTIMImage(const ImageIn
     (void) ReadBlobLSBShort(image);
     width=ReadBlobLSBShort(image);
     height=ReadBlobLSBShort(image);
-    image_size=2*width*height;
+    if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     bytes_per_line=width*2;
     width=(width*16)/bits_per_pixel;
     tim_data=(unsigned char *) AcquireQuantumMemory(image_size,