File ImageMagick-CVE-2025-66628.patch of Package ImageMagick.41990
From bdae0681ad1e572defe62df85834218f01e6d670 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 2 Dec 2025 22:49:12 +0100
Subject: [PATCH] Added extra check to avoid an overflow on 32-bit machines
(GHSA-6hjr-v6g4-3fm8)
---
coders/tim.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: ImageMagick-7.0.7-34/coders/tim.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/tim.c
+++ ImageMagick-7.0.7-34/coders/tim.c
@@ -59,6 +59,26 @@
#include "MagickCore/string_.h"
#include "MagickCore/module.h"
+
+static inline MagickBooleanType HeapOverflowSanityCheckGetSize(
+ const size_t count,const size_t quantum,size_t *const extent)
+{
+ size_t
+ length;
+
+ if ((count == 0) || (quantum == 0))
+ return(MagickTrue);
+ length=count*quantum;
+ if (quantum != (length/count))
+ {
+ errno=ENOMEM;
+ return(MagickTrue);
+ }
+ assert(extent != NULL);
+ *extent=length;
+ return(MagickFalse);
+}
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -231,7 +251,8 @@ static Image *ReadTIMImage(const ImageIn
(void) ReadBlobLSBShort(image);
width=ReadBlobLSBShort(image);
height=ReadBlobLSBShort(image);
- image_size=2*width*height;
+ if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (image_size > GetBlobSize(image))
ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
bytes_per_line=width*2;
Index: ImageMagick-7.0.7-34/MagickCore/memory.c
===================================================================
--- ImageMagick-7.0.7-34.orig/MagickCore/memory.c
+++ ImageMagick-7.0.7-34/MagickCore/memory.c
@@ -989,6 +989,7 @@ MagickExport MagickBooleanType HeapOverf
}
return(MagickFalse);
}
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
