File ImageMagick-CVE-2025-57803.patch of Package ImageMagick.40075
From 2c55221f4d38193adcb51056c14cf238fbcc35d7 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 23 Aug 2025 09:18:40 -0400
Subject: [PATCH]
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm
---
coders/bmp.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
Index: ImageMagick-7.1.0-9/coders/bmp.c
===================================================================
--- ImageMagick-7.1.0-9.orig/coders/bmp.c
+++ ImageMagick-7.1.0-9/coders/bmp.c
@@ -507,6 +507,11 @@ static MagickBooleanType IsBMP(const uns
%
*/
+static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
+{
+ return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
+}
+
static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
BMPInfo
@@ -546,6 +551,7 @@ static Image *ReadBMPImage(const ImageIn
size_t
bit,
bytes_per_line,
+ extent,
length;
ssize_t
@@ -971,15 +977,21 @@ static Image *ReadBMPImage(const ImageIn
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (bmp_info.compression == BI_RLE4)
bmp_info.bits_per_pixel<<=1;
- bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
- length=(size_t) bytes_per_line*image->rows;
+ extent=image->columns*bmp_info.bits_per_pixel;
+ bytes_per_line=4*((extent+31)/32);
+ if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
+ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+ length=bytes_per_line*image->rows;
if ((MagickSizeType) (length/256) > blob_size)
ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
if ((bmp_info.compression == BI_RGB) ||
(bmp_info.compression == BI_BITFIELDS))
{
- pixel_info=AcquireVirtualMemory(image->rows,
- MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+ extent=MagickMax(bytes_per_line,image->columns+256UL);
+ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
+ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
if (pixel_info == (MemoryInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
@@ -999,8 +1011,11 @@ static Image *ReadBMPImage(const ImageIn
/*
Convert run-length encoded raster pixels.
*/
- pixel_info=AcquireVirtualMemory(image->rows,
- MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+ extent=MagickMax(bytes_per_line,image->columns+256UL);
+ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
+ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
if (pixel_info == (MemoryInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
