diff mbox series

[meta-oe,kirkstone,07/12] ImageMagick: Fix CVE-2025-57803

Message ID 20251120084959.51761-7-Divyanshu.Rathore@bmwtechworks.in
State New
Headers show
Series [meta-oe,kirkstone,01/12] ImageMagick: Fix CVE-2025-53014 | expand

Commit Message

Divyanshu Rathore Nov. 20, 2025, 8:49 a.m. UTC 
Backport the fix for CVE-2025-57803

Add below patch to fix
0007-ImageMagick-Fix-CVE-2025-57803.patch

Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
 .../0007-ImageMagick-Fix-CVE-2025-57803.patch | 87 +++++++++++++++++++
 .../imagemagick/imagemagick_7.0.10.bb         |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch b/meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch
new file mode 100644
index 0000000000..77660e998c
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch
@@ -0,0 +1,87 @@ 
+From 13bce1a21fff8cd8eb1dcde5f3571945b0b6d447 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Thu, 23 Oct 2025 23:41:32 +0530
+Subject: [PATCH 1/8] ImageMagick: Fix CVE-2025-57803
+
+CVE: CVE-2025-57803
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7.patch]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ coders/bmp.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index a46448a95..beff10bb5 100644
+--- a/coders/bmp.c
++++ b/coders/bmp.c
+@@ -507,6 +507,11 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length)
+ %
+ */
+ 
++static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
++{
++  return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
++}
++
+ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+   BMPInfo
+@@ -546,6 +551,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   size_t
+     bit,
+     bytes_per_line,
++    extent,
+     length;
+ 
+   ssize_t
+@@ -968,18 +974,24 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (bmp_info.compression == BI_RLE4)
+       bmp_info.bits_per_pixel<<=1;
+-    bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
+-    length=(size_t) bytes_per_line*image->rows;
++    extent=image->columns*bmp_info.bits_per_pixel;
++    bytes_per_line=4*((extent+31)/32);
++    if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
++      ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
++    length=bytes_per_line*image->rows;
+     if ((MagickSizeType) (length/256) > blob_size)
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
++    extent=MagickMax(bytes_per_line,image->columns+1UL);
++    if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
++        (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
++      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++    pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
++    if (pixel_info == (MemoryInfo *) NULL)
++          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+     if ((bmp_info.compression == BI_RGB) ||
+         (bmp_info.compression == BI_BITFIELDS))
+       {
+-        pixel_info=AcquireVirtualMemory(image->rows,
+-          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+-        if (pixel_info == (MemoryInfo *) NULL)
+-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+         if (image->debug != MagickFalse)
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+             "  Reading pixels (%.20g bytes)",(double) length);
+@@ -996,11 +1008,6 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         /*
+           Convert run-length encoded raster pixels.
+         */
+-        pixel_info=AcquireVirtualMemory(image->rows,
+-          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+-        if (pixel_info == (MemoryInfo *) NULL)
+-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+         status=DecodeImage(image,bmp_info.compression,pixels,
+           image->columns*image->rows);
+         if (status == MagickFalse)
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index e9b125e71f..e1519b13fa 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -29,6 +29,7 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
     file://0004-ImageMagick-Fix-CVE-2025-55005.patch \
     file://0005-ImageMagick-Fix-CVE-2025-53019.patch \
     file://0006-ImageMagick-Fix-CVE-2025-55004.patch \
+    file://0007-ImageMagick-Fix-CVE-2025-57803.patch \
 "
 
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"