File ImageMagick-CVE-2025-57803.patch of Package ImageMagick.40619

From 2c55221f4d38193adcb51056c14cf238fbcc35d7 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 23 Aug 2025 09:18:40 -0400
Subject: [PATCH] 
 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm

---
 coders/bmp.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

Index: ImageMagick-7.0.7-34/coders/bmp.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/bmp.c
+++ ImageMagick-7.0.7-34/coders/bmp.c
@@ -507,6 +507,11 @@ static MagickBooleanType IsBMP(const uns
 %
 */
 
+static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
+{
+  return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
+}
+
 static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   BMPInfo
@@ -541,6 +546,7 @@ static Image *ReadBMPImage(const ImageIn
   size_t
     bit,
     bytes_per_line,
+    extent,
     length;
 
   ssize_t
@@ -955,15 +961,21 @@ static Image *ReadBMPImage(const ImageIn
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if (bmp_info.compression == BI_RLE4)
       bmp_info.bits_per_pixel<<=1;
-    bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
-    length=(size_t) bytes_per_line*image->rows;
+    extent=image->columns*bmp_info.bits_per_pixel;
+    bytes_per_line=4*((extent+31)/32);
+    if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+    length=bytes_per_line*image->rows;
     if (((MagickSizeType) length/8) > GetBlobSize(image))
       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
     if ((bmp_info.compression == BI_RGB) ||
         (bmp_info.compression == BI_BITFIELDS))
       {
-        pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line,
-          image->columns+256UL)*sizeof(*pixels));
+        extent=MagickMax(bytes_per_line,image->columns+256UL);
+        if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
+            (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
+          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+        pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
         if (pixel_info == (MemoryInfo *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
         pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
@@ -983,8 +995,11 @@ static Image *ReadBMPImage(const ImageIn
         /*
           Convert run-length encoded raster pixels.
         */
-        pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line,
-          image->columns+256UL)*sizeof(*pixels));
+        extent=MagickMax(bytes_per_line,image->columns+256UL);
+        if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
+            (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
+          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+        pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
         if (pixel_info == (MemoryInfo *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
         pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
Places

File ImageMagick-CVE-2025-57803.patch of Package ImageMagick.40619

Places
