File ImageMagick-CVE-2026-23876.patch of Package ImageMagick.42529

From 2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sun, 18 Jan 2026 17:54:12 +0100
Subject: [PATCH] Added overflow checks to prevent an out of bounds write
 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8)

---
 coders/xbm.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

Index: ImageMagick-7.1.1-21/coders/xbm.c
===================================================================
--- ImageMagick-7.1.1-21.orig/coders/xbm.c
+++ ImageMagick-7.1.1-21/coders/xbm.c
@@ -196,6 +196,10 @@ static Image *ReadXBMImage(const ImageIn
   short int
     hex_digits[256];
 
+  size_t
+    bytes_per_line,
+    length;
+
   ssize_t
     i,
     x,
@@ -208,8 +212,6 @@ static Image *ReadXBMImage(const ImageIn
   unsigned int
     bit,
     byte,
-    bytes_per_line,
-    length,
     padding,
     version;
 
@@ -343,15 +345,15 @@ static Image *ReadXBMImage(const ImageIn
   if (((image->columns % 16) != 0) && ((image->columns % 16) < 9) &&
       (version == 10))
     padding=1;
-  bytes_per_line=(unsigned int) (image->columns+7)/8+padding;
-  length=(unsigned int) image->rows;
-  data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
-    sizeof(*data));
+  bytes_per_line=(image->columns+7)/8+padding;
+  if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,&length) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  data=(unsigned char *) AcquireQuantumMemory(length,sizeof(*data));
   if (data == (unsigned char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   p=data;
   if (version == 10)
-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
+    for (i=0; i < (ssize_t) length; i+=2)
     {
       c=XBMInteger(image,hex_digits);
       if (c < 0)
@@ -364,7 +366,7 @@ static Image *ReadXBMImage(const ImageIn
         *p++=(unsigned char) (c >> 8);
     }
   else
-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
+    for (i=0; i < (ssize_t) length; i++)
     {
       c=XBMInteger(image,hex_digits);
       if (c < 0)