Overview

File ImageMagick-CVE-2026-24485.patch of Package ImageMagick.42999

From 75904c39049ec0b8d81eb7131bb05c0b23ad3189 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 22 Jan 2026 19:32:16 -0500
Subject: [PATCH] 
 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85

---
 coders/pcd.c | 61 +++++++++++++++++++++++++++++++---------------------
 1 file changed, 37 insertions(+), 24 deletions(-)

Index: ImageMagick-6.8.8-1/coders/pcd.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pcd.c
+++ ImageMagick-6.8.8-1/coders/pcd.c
@@ -116,19 +116,34 @@ static MagickBooleanType DecodeImage(Ima
 #define IsSync(sum)  ((sum & 0xffffff00UL) == 0xfffffe00UL)
 #define PCDGetBits(n) \
 {  \
+  ssize_t \
+    byte_count = 0x800; \
+  \
   sum=(sum << n) & 0xffffffff; \
   bits-=n; \
   while (bits <= 24) \
   { \
     if (p >= (buffer+0x800)) \
       { \
-        count=ReadBlob(image,0x800,buffer); \
+        byte_count=ReadBlob(image,0x800,buffer); \
+        if (byte_count != 0x800) \
+          { \
+            (void) ThrowMagickException(&image->exception,GetMagickModule(), \
+              CorruptImageWarning,"CorruptImage","`%s'",image->filename); \
+            break; \
+          } \
         p=buffer; \
       } \
-    sum|=((unsigned int) (*p) << (24-bits)); \
+    sum|=(((unsigned int) (*p)) << (24-bits)); \
     bits+=8; \
     p++; \
   } \
+  if (byte_count != 0x800) \
+    { \
+      (void) ThrowMagickException(&image->exception,GetMagickModule(), \
+        CorruptImageWarning,"CorruptImage","`%s'",image->filename); \
+      break; \
+    } \
 }
 
   typedef struct PCDTable
@@ -478,6 +496,25 @@ static void Upsample(const size_t width,
   (void) CopyMagickMemory(q,p,(size_t) (2*width));
 }
 
+static inline MagickBooleanType HeapOverflowSanityCheckGetSize(
+  const size_t count,const size_t quantum,size_t *const extent)
+{
+  size_t
+    length;
+
+  if ((count == 0) || (quantum == 0))
+    return(MagickTrue);
+  length=count*quantum;
+  if (quantum != (length/count))
+    {
+      errno=ENOMEM;
+      return(MagickTrue);
+    }
+  assert(extent != NULL);
+  *extent=length;
+  return(MagickFalse);
+}
+
 static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   Image
@@ -505,6 +542,7 @@ static Image *ReadPCDImage(const ImageIn
     *yy;
 
   size_t
+    extent,
     height,
     number_images,
     rotate,
@@ -600,7 +643,12 @@ static Image *ReadPCDImage(const ImageIn
   /*
     Allocate luma and chroma memory.
   */
-  number_pixels=(MagickSizeType) image->columns*image->rows;
+  if (HeapOverflowSanityCheckGetSize(image->columns+1UL,image->rows,&extent) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  if (HeapOverflowSanityCheckGetSize(extent,10,&number_pixels) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  if (HeapOverflowSanityCheckGetSize(extent,30,&extent) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   if (number_pixels != (size_t) number_pixels)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   chroma1=(unsigned char *) AcquireQuantumMemory(image->columns+1UL,image->rows*
openSUSE Build Service is sponsored by
Places