File ImageMagick-CVE-2026-24485.patch of Package ImageMagick.42998

From 0d0752cf4b2bd7d2aaf9b309353365a02650b4e4 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 20 Jan 2026 22:38:36 +0100
Subject: [PATCH] Added overflow checks.

---
 coders/pcd.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Index: ImageMagick-7.1.0-9/coders/pcd.c
===================================================================
--- ImageMagick-7.1.0-9.orig/coders/pcd.c
+++ ImageMagick-7.1.0-9/coders/pcd.c
@@ -116,19 +116,34 @@ static MagickBooleanType DecodeImage(Ima
 #define IsSync(sum)  ((sum & 0xffffff00UL) == 0xfffffe00UL)
 #define PCDGetBits(n) \
 {  \
+  ssize_t \
+    byte_count = 0x800; \
+  \
   sum=(sum << n) & 0xffffffff; \
   bits-=n; \
   while (bits <= 24) \
   { \
     if (p >= (buffer+0x800)) \
       { \
-        count=ReadBlob(image,0x800,buffer); \
+        byte_count=ReadBlob(image,0x800,buffer); \
+        if (byte_count != 0x800) \
+          { \
+            (void) ThrowMagickException(exception,GetMagickModule(), \
+              CorruptImageWarning,"CorruptImage","`%s'",image->filename); \
+            break; \
+          } \
         p=buffer; \
       } \
     sum|=(((unsigned int) (*p)) << (24-bits)); \
     bits+=8; \
     p++; \
   } \
+  if (byte_count != 0x800) \
+    { \
+      (void) ThrowMagickException(exception,GetMagickModule(), \
+        CorruptImageWarning,"CorruptImage","`%s'",image->filename); \
+      break; \
+    } \
 }
 
   typedef struct PCDTable
@@ -501,19 +516,11 @@ static Image *ReadPCDImage(const ImageIn
   MemoryInfo
     *pixel_info;
 
-  ssize_t
-    i,
-    y;
-
   Quantum
     *q;
 
-  unsigned char
-    *c1,
-    *c2,
-    *yy;
-
   size_t
+    extent,
     height,
     number_images,
     number_pixels,
@@ -523,13 +530,18 @@ static Image *ReadPCDImage(const ImageIn
 
   ssize_t
     count,
-    x;
+    i,
+    x,
+    y;
 
   unsigned char
+    *c1,
+    *c2,
     *chroma1,
     *chroma2,
     *header,
-    *luma;
+    *luma,
+    *yy;
 
   unsigned int
     overview;
@@ -618,11 +630,15 @@ static Image *ReadPCDImage(const ImageIn
   /*
     Allocate luma and chroma memory.
   */
-  pixel_info=AcquireVirtualMemory(image->columns+1UL,30*image->rows*
-    sizeof(*luma));
+  if (HeapOverflowSanityCheckGetSize(image->columns+1UL,image->rows,&extent) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  if (HeapOverflowSanityCheckGetSize(extent,10,&number_pixels) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  if (HeapOverflowSanityCheckGetSize(extent,30,&extent) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  pixel_info=AcquireVirtualMemory(extent,sizeof(*luma));
   if (pixel_info == (MemoryInfo *) NULL)
     ThrowPCDException(ResourceLimitError,"MemoryAllocationFailed");
-  number_pixels=(image->columns+1UL)*10*image->rows*sizeof(*luma);
   luma=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
   chroma1=(unsigned char *) GetVirtualMemoryBlob(pixel_info)+number_pixels;
   chroma2=(unsigned char *) GetVirtualMemoryBlob(pixel_info)+2*number_pixels;
Places

File ImageMagick-CVE-2026-24485.patch of Package ImageMagick.42998

Places
