File ImageMagick-CVE-2026-25970.patch of Package ImageMagick.42997
From 266e59ed8d886a76355c863bd38ff5ac34537673 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 28 Jan 2026 19:50:14 -0500
Subject: [PATCH]
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4x
---
coders/sixel.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
Index: ImageMagick-7.1.1-43/coders/sixel.c
===================================================================
--- ImageMagick-7.1.1-43.orig/coders/sixel.c
+++ ImageMagick-7.1.1-43/coders/sixel.c
@@ -249,12 +249,7 @@ static MagickBooleanType sixel_decode(Im
background_color_index,
c,
color_index,
- dmsx,
- dmsy,
g,
- i,
- imsx,
- imsy,
n,
max_color_index,
max_x,
@@ -265,17 +260,24 @@ static MagickBooleanType sixel_decode(Im
r,
repeat_count,
sixel_palet[SIXEL_PALETTE_MAX],
- sixel_vertical_mask,
- x,
- y;
+ sixel_vertical_mask;
sixel_pixel_t
*dmbuf,
*imbuf;
size_t
- extent,
- offset;
+ extent;
+
+ ssize_t
+ dmsx,
+ dmsy,
+ i,
+ imsx,
+ imsy,
+ offset,
+ x,
+ y;
extent=strlen((char *) p);
position_x=position_y=0;
@@ -292,7 +294,8 @@ static MagickBooleanType sixel_decode(Im
imsy=2048;
if (SetImageExtent(image,(size_t) imsx,(size_t) imsy,exception) == MagickFalse)
return(MagickFalse);
- imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx,(size_t) imsy*sizeof(sixel_pixel_t));
+ imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx,
+ (size_t) imsy*sizeof(sixel_pixel_t));
if (imbuf == (sixel_pixel_t *) NULL)
return(MagickFalse);
for (n = 0; n < 16; n++)
@@ -313,7 +316,7 @@ static MagickBooleanType sixel_decode(Im
sixel_palet[n++]=SIXEL_RGB(i*11,i*11,i*11);
for (; n < SIXEL_PALETTE_MAX; n++)
sixel_palet[n]=SIXEL_RGB(255,255,255);
- for (i = 0; i < imsx * imsy; i++)
+ for (i = 0; i < (imsx*imsy); i++)
imbuf[i]=background_color_index;
while (*p != '\0')
{
@@ -407,7 +410,7 @@ static MagickBooleanType sixel_decode(Im
}
(void) memset(dmbuf,background_color_index,(size_t) dmsx*(size_t)
dmsy*sizeof(sixel_pixel_t));
- for (y = 0; y < imsy; ++y)
+ for (y=0; y < imsy; ++y)
(void) memcpy(dmbuf+dmsx*y,imbuf+imsx*y,(size_t) imsx*
sizeof(sixel_pixel_t));
imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
@@ -484,16 +487,17 @@ static MagickBooleanType sixel_decode(Im
}
else if ((*p >= '?') && (*p <= '\177'))
{
- if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6)))
+ if ((imsx < ((ssize_t) position_x+repeat_count)) ||
+ (imsy < ((ssize_t) position_y+6)))
{
- int
+ ssize_t
nx,
ny;
nx=imsx*2;
ny=imsy*2;
- while ((nx < (position_x + repeat_count)) || (ny < (position_y + 6)))
+ while ((nx < ((ssize_t) position_x+repeat_count)) || (ny < ((ssize_t) position_y+6)))
{
nx *= 2;
ny *= 2;
@@ -533,9 +537,9 @@ static MagickBooleanType sixel_decode(Im
{
if ((b & sixel_vertical_mask) != 0)
{
- offset=(size_t) (imsx*((ssize_t) position_y+i)+
+ offset=(ssize_t) (imsx*((ssize_t) position_y+i)+
(ssize_t) position_x);
- if (offset >= (size_t) (imsx*imsy))
+ if (offset >= (imsx*imsy))
{
imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
return(MagickFalse);
@@ -565,10 +569,11 @@ static MagickBooleanType sixel_decode(Im
}
for (y = position_y + i; y < position_y + i + n; ++y)
{
- offset=(size_t) ((ssize_t) imsx*y+(ssize_t) position_x);
- if ((offset+(size_t) repeat_count) >= (size_t) (imsx*imsy))
+ offset=(imsx*y+position_x);
+ if ((offset+repeat_count) >= (imsx*imsy))
{
- imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
+ imbuf=(sixel_pixel_t *)
+ RelinquishMagickMemory(imbuf);
return(MagickFalse);
}
for (x = 0; x < repeat_count; x++)
