File ImageMagick-CVE-2026-25798.patch of Package ImageMagick.42998
From 16dd3158ce197c6f65e7798a7a5cc4538bb0303e Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 1 Feb 2026 14:56:14 -0500
Subject: [PATCH]
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4
---
MagickCore/cache.c | 37 +++++++++++++++++++++++++++++++++----
coders/sixel.c | 4 ++--
2 files changed, 35 insertions(+), 6 deletions(-)
Index: ImageMagick-7.1.0-9/MagickCore/cache.c
===================================================================
--- ImageMagick-7.1.0-9.orig/MagickCore/cache.c
+++ ImageMagick-7.1.0-9/MagickCore/cache.c
@@ -3491,6 +3491,25 @@ static MagickBooleanType MaskPixelCacheN
%
*/
+static inline MagickBooleanType CacheOverflowSanityCheckGetSize(
+ const MagickSizeType count,const size_t quantum,MagickSizeType *const extent)
+{
+ MagickSizeType
+ length;
+
+ if ((count == 0) || (quantum == 0))
+ return(MagickTrue);
+ length=count*quantum;
+ if (quantum != (length/count))
+ {
+ errno=ENOMEM;
+ return(MagickTrue);
+ }
+ if (extent != NULL)
+ *extent=length;
+ return(MagickFalse);
+}
+
static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info,
const MapMode mode)
{
@@ -3642,7 +3661,7 @@ static MagickBooleanType OpenPixelCache(
status;
MagickSizeType
- length,
+ length = 0,
number_pixels;
size_t
@@ -3713,12 +3732,22 @@ static MagickBooleanType OpenPixelCache(
packet_size=MagickMax(cache_info->number_channels,1)*sizeof(Quantum);
if (image->metacontent_extent != 0)
packet_size+=cache_info->metacontent_extent;
- length=number_pixels*packet_size;
+ if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse)
+ {
+ cache_info->storage_class=UndefinedClass;
+ cache_info->length=0;
+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
+ image->filename);
+ }
columns=(size_t) (length/cache_info->rows/packet_size);
if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) ||
((ssize_t) cache_info->rows < 0))
- ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
- image->filename);
+ {
+ cache_info->storage_class=UndefinedClass;
+ cache_info->length=0;
+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
+ image->filename);
+ }
cache_info->length=length;
if (image->ping != MagickFalse)
{
Index: ImageMagick-7.1.0-9/coders/sixel.c
===================================================================
--- ImageMagick-7.1.0-9.orig/coders/sixel.c
+++ ImageMagick-7.1.0-9/coders/sixel.c
@@ -541,7 +541,7 @@ static MagickBooleanType sixel_decode(Im
if (max_x < posision_x)
max_x = posision_x;
if (max_y < (posision_y + i))
- max_y = posision_y + i;
+ max_y = (int)(posision_y + i);
}
sixel_vertical_mask <<= 1;
}
@@ -574,7 +574,7 @@ static MagickBooleanType sixel_decode(Im
if (max_x < (posision_x+repeat_count-1))
max_x = posision_x+repeat_count-1;
if (max_y < (posision_y+i+n-1))
- max_y = posision_y+i+n-1;
+ max_y = (int)(posision_y+i+n-1);
i+=(n-1);
sixel_vertical_mask <<= (n-1);
}
