diff mbox series

[meta-oe,whinlatter,07/11] imagemagick: patch CVE-2026-25794

Message ID 20260306150602.616834-7-skandigraun@gmail.com
State Superseded, archived
Headers show
Series [meta-oe,whinlatter,01/11] imagemagick: patch CVE-2026-24481 | expand

Commit Message

Gyorgy Sarvari March 6, 2026, 3:05 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25794

Backport the patch that references the relevant Github advisory[1]
in its commit message explicitly.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../imagemagick/CVE-2026-25794.patch          | 54 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.2-13.bb       |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch
new file mode 100644
index 0000000000..8eb9f14d57
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch
@@ -0,0 +1,54 @@ 
+From c4f271dbcbe543b3395f83a1b5416927500c2aa4 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 6 Feb 2026 21:03:53 +0100
+Subject: [PATCH] Prevent out of bounds heap write in uhdr encoder
+ (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h)
+
+CVE: CVE-2026-25794
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ coders/uhdr.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/coders/uhdr.c b/coders/uhdr.c
+index fc436595e..101d6a90f 100644
+--- a/coders/uhdr.c
++++ b/coders/uhdr.c
+@@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info,
+   {
+     /* Classify image as hdr/sdr intent basing on depth */
+     int
+-      bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
+-
+-    int
+-      aligned_width = image->columns + (image->columns & 1);
+-
+-    int
+-      aligned_height = image->rows + (image->rows & 1);
++      bpp;
+ 
+     ssize_t
+-      picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
++      aligned_height,
++      aligned_width;
++
++    size_t
++      picSize;
+ 
+     void
+       *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL;
+ 
++    if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) ||
++        ((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0)))
++      {
++        (void) ThrowMagickException(exception,GetMagickModule(),ImageError,
++          "WidthOrHeightExceedsLimit","%s",image->filename);
++        goto next_image;
++    }
++    bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
++    aligned_width = image->columns + (image->columns & 1);
++    picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
+     if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace))
+     {
+       if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb
index 4b5a7fbb14..ab73da952c 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb
@@ -21,6 +21,7 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://CVE-2026-25576.patch \
            file://CVE-2026-25637.patch \
            file://CVE-2026-25638.patch \
+           file://CVE-2026-25794.patch \
            "
 
 SRCREV = "dd991e286b96918917a3392d6dc3ffc0e6907a4e"