Overview

File ImageMagick-CVE-2025-69204.patch of Package ImageMagick.42115

From 2c08c2311693759153c9aa99a6b2dcb5f985681e Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 27 Dec 2025 14:37:23 -0500
Subject: [PATCH] 
 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw

---
 coders/svg.c | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

Index: ImageMagick-7.1.1-21/coders/svg.c
===================================================================
--- ImageMagick-7.1.1-21.orig/coders/svg.c
+++ ImageMagick-7.1.1-21/coders/svg.c
@@ -1574,13 +1574,14 @@ static void SVGStartElement(void *contex
   (void) LogMagickEvent(CoderEvent,GetMagickModule(),"  SAX.startElement(%s",
     name);
   svg_info=(SVGInfo *) context;
-  if (svg_info->n++ > MagickMaxRecursionDepth)
+  if (svg_info->n >= MagickMaxRecursionDepth)
     {
       (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
         DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
       xmlStopParser((xmlParserCtxtPtr) context);
       return;
     }
+  svg_info->n++;
   svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
     svg_info->n+1,sizeof(*svg_info->scale));
   if (svg_info->scale == (double *) NULL)
@@ -5182,17 +5183,33 @@ static MagickBooleanType WriteSVGImage(c
       }
       case PathPrimitive:
       {
-        int
-          number_attributes;
+        size_t
+          number_attributes,
+          quantum;
 
         (void) GetNextToken(q,&q,extent,token);
         number_attributes=1;
         for (p=token; *p != '\0'; p++)
           if (isalpha((int) ((unsigned char) *p)) != 0)
             number_attributes++;
-        if (i > ((ssize_t) number_points-6*BezierQuantum*number_attributes-1))
+        if ((6*BezierQuantum) >= (MAGICK_SSIZE_MAX/number_attributes))
           {
-            number_points+=(size_t) (6*BezierQuantum*number_attributes);
+            (void) ThrowMagickException(exception,GetMagickModule(),
+              ResourceLimitError,"MemoryAllocationFailed","`%s'",
+              image->filename);
+            break;
+          }
+        quantum=(size_t) 6*BezierQuantum*number_attributes;
+        if (number_points >= (MAGICK_SSIZE_MAX-quantum))
+          {
+            (void) ThrowMagickException(exception,GetMagickModule(),
+              ResourceLimitError,"MemoryAllocationFailed","`%s'",
+              image->filename);
+            break;
+          }
+        if (i > (ssize_t) (number_points-quantum-1))
+          {
+            number_points+=(size_t) quantum;
             primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info,
               number_points,sizeof(*primitive_info));
             if (primitive_info == (PrimitiveInfo *) NULL)
openSUSE Build Service is sponsored by
Places