Overview

File ImageMagick-CVE-2026-25898.patch of Package ImageMagick.42998

From 21525d8f27b86e8063fe359616086fd6b71eb05b Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sun, 8 Feb 2026 14:15:46 +0100
Subject: [PATCH] Fixed out of bound read with negative pixel index
 (GHSA-vpxv-r9pg-7gpr)

---
 coders/xpm.c | 4 ++++
 1 file changed, 4 insertions(+)

Index: ImageMagick-7.1.0-9/coders/xpm.c
===================================================================
--- ImageMagick-7.1.0-9.orig/coders/xpm.c
+++ ImageMagick-7.1.0-9/coders/xpm.c
@@ -1121,10 +1121,14 @@ static MagickBooleanType WriteXPMImage(c
     for (x=0; x < (ssize_t) image->columns; x++)
     {
       k=((ssize_t) GetPixelIndex(image,p) % MaxCixels);
+      if (k < 0)
+        k=0;
       symbol[0]=Cixel[k];
       for (j=1; j < (ssize_t) characters_per_pixel; j++)
       {
         k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels;
+        if (k < 0)
+          k=0;
         symbol[j]=Cixel[k];
       }
       symbol[j]='\0';
Index: ImageMagick-7.1.0-9/coders/uil.c
===================================================================
--- ImageMagick-7.1.0-9.orig/coders/uil.c
+++ ImageMagick-7.1.0-9/coders/uil.c
@@ -352,11 +352,14 @@ static MagickBooleanType WriteUILImage(c
     for (x=0; x < (ssize_t) image->columns; x++)
     {
       k=((ssize_t) GetPixelIndex(image,p) % MaxCixels);
+      if (k < 0)
+        k=0;
       symbol[0]=Cixel[k];
       for (j=1; j < (int) characters_per_pixel; j++)
       {
-        k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) %
-          MaxCixels;
+        k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels;
+        if (k < 0)
+          k=0;
         symbol[j]=Cixel[k];
       }
       symbol[j]='\0';
openSUSE Build Service is sponsored by
Places