File ImageMagick-CVE-2026-25970.patch of Package ImageMagick.42998
From 266e59ed8d886a76355c863bd38ff5ac34537673 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 28 Jan 2026 19:50:14 -0500
Subject: [PATCH]
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4x
---
coders/sixel.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
Index: ImageMagick-7.1.0-9/coders/sixel.c
===================================================================
--- ImageMagick-7.1.0-9.orig/coders/sixel.c
+++ ImageMagick-7.1.0-9/coders/sixel.c
@@ -247,36 +247,38 @@ static MagickBooleanType sixel_decode(Im
background_color_index,
c,
color_index,
- dmsx,
- dmsy,
g,
- i,
- imsx,
- imsy,
n,
max_color_index,
max_x,
max_y,
param[10],
- posision_x,
- posision_y,
+ position_x,
+ position_y,
r,
repeat_count,
sixel_palet[SIXEL_PALETTE_MAX],
- sixel_vertical_mask,
- x,
- y;
+ sixel_vertical_mask;
sixel_pixel_t
*dmbuf,
*imbuf;
size_t
- extent,
- offset;
+ extent;
+
+ ssize_t
+ dmsx,
+ dmsy,
+ i,
+ imsx,
+ imsy,
+ offset,
+ x,
+ y;
extent=strlen((char *) p);
- posision_x=posision_y=0;
+ position_x=position_y=0;
max_x=max_y=0;
attributed_pan=2;
attributed_pad=1;
@@ -290,7 +292,7 @@ static MagickBooleanType sixel_decode(Im
imsy=2048;
if (SetImageExtent(image,imsx,imsy,exception) == MagickFalse)
return(MagickFalse);
- imbuf=(sixel_pixel_t *) AcquireQuantumMemory(imsx,imsy*sizeof(sixel_pixel_t));
+ imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t)imsx,(size_t)imsy*sizeof(sixel_pixel_t));
if (imbuf == (sixel_pixel_t *) NULL)
return(MagickFalse);
for (n = 0; n < 16; n++)
@@ -311,7 +313,7 @@ static MagickBooleanType sixel_decode(Im
sixel_palet[n++]=SIXEL_RGB(i*11,i*11,i*11);
for (; n < SIXEL_PALETTE_MAX; n++)
sixel_palet[n]=SIXEL_RGB(255,255,255);
- for (i = 0; i < imsx * imsy; i++)
+ for (i = 0; i < (imsx*imsy); i++)
imbuf[i]=background_color_index;
while (*p != '\0')
{
@@ -469,29 +471,30 @@ static MagickBooleanType sixel_decode(Im
{
/* DECGCR Graphics Carriage Return */
p++;
- posision_x=0;
+ position_x=0;
repeat_count=1;
}
else if (*p == '-')
{
/* DECGNL Graphics Next Line */
p++;
- posision_x=0;
- posision_y+=6;
+ position_x=0;
+ position_y+=6;
repeat_count=1;
}
else if ((*p >= '?') && (*p <= '\177'))
{
- if ((imsx < (posision_x + repeat_count)) || (imsy < (posision_y + 6)))
+ if ((imsx < ((ssize_t) position_x+repeat_count)) ||
+ (imsy < ((ssize_t) position_y+6)))
{
- int
+ ssize_t
nx,
ny;
nx=imsx*2;
ny=imsy*2;
- while ((nx < (posision_x + repeat_count)) || (ny < (posision_y + 6)))
+ while ((nx < ((ssize_t) position_x+repeat_count)) || (ny < ((ssize_t) position_y+6)))
{
nx *= 2;
ny *= 2;
@@ -521,7 +524,7 @@ static MagickBooleanType sixel_decode(Im
if (color_index > max_color_index)
max_color_index = color_index;
if ((b = *(p++) - '?') == 0)
- posision_x += repeat_count;
+ position_x += repeat_count;
else
{
sixel_vertical_mask=0x01;
@@ -531,21 +534,22 @@ static MagickBooleanType sixel_decode(Im
{
if ((b & sixel_vertical_mask) != 0)
{
- offset=(size_t) imsx*(posision_y+i)+posision_x;
- if (offset >= (size_t) imsx * imsy)
+ offset=(ssize_t) (imsx*((ssize_t) position_y+i)+
+ (ssize_t) position_x);
+ if (offset >= (imsx * imsy))
{
imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
return(MagickFalse);
}
imbuf[offset]=color_index;
- if (max_x < posision_x)
- max_x = posision_x;
- if (max_y < (posision_y + i))
- max_y = (int)(posision_y + i);
+ if (max_x < position_x)
+ max_x = position_x;
+ if (max_y < (position_y + i))
+ max_y = (int)(position_y + i);
}
sixel_vertical_mask <<= 1;
}
- posision_x += 1;
+ position_x += 1;
}
else /* repeat_count > 1 */
{
@@ -560,27 +564,28 @@ static MagickBooleanType sixel_decode(Im
break;
c <<= 1;
}
- for (y = posision_y + i; y < posision_y + i + n; ++y)
+ for (y = position_y + i; y < position_y + i + n; ++y)
{
- offset=(size_t) imsx*y+posision_x;
- if (offset+repeat_count >= (size_t) imsx*imsy)
+ offset=(imsx*y+position_x);
+ if ((offset+repeat_count) >= (imsx*imsy))
{
- imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
+ imbuf=(sixel_pixel_t *)
+ RelinquishMagickMemory(imbuf);
return(MagickFalse);
}
for (x = 0; x < repeat_count; x++)
imbuf[offset+x] = color_index;
}
- if (max_x < (posision_x+repeat_count-1))
- max_x = posision_x+repeat_count-1;
- if (max_y < (posision_y+i+n-1))
- max_y = (int)(posision_y+i+n-1);
+ if (max_x < (position_x+repeat_count-1))
+ max_x = position_x+repeat_count-1;
+ if (max_y < (position_y+i+n-1))
+ max_y = (int)(position_y+i+n-1);
i+=(n-1);
sixel_vertical_mask <<= (n-1);
}
sixel_vertical_mask <<= 1;
}
- posision_x += repeat_count;
+ position_x += repeat_count;
}
}
repeat_count = 1;
