Backport the fix for CVE-2025-57803 Add below patch to fix 0007-ImageMagick-Fix-CVE-2025-57803.patch
Signed-off-by: Divyanshu Rathore <[email protected]> --- .../0007-ImageMagick-Fix-CVE-2025-57803.patch | 87 +++++++++++++++++++ .../imagemagick/imagemagick_7.0.10.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch diff --git a/meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch b/meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch new file mode 100644 index 0000000000..77660e998c --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch @@ -0,0 +1,87 @@ +From 13bce1a21fff8cd8eb1dcde5f3571945b0b6d447 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore <[email protected]> +Date: Thu, 23 Oct 2025 23:41:32 +0530 +Subject: [PATCH 1/8] ImageMagick: Fix CVE-2025-57803 + +CVE: CVE-2025-57803 + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7.patch] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore <[email protected]> +--- + coders/bmp.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index a46448a95..beff10bb5 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -507,6 +507,11 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length) + % + */ + ++static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y) ++{ ++ return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse); ++} ++ + static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + BMPInfo +@@ -546,6 +551,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + size_t + bit, + bytes_per_line, ++ extent, + length; + + ssize_t +@@ -968,18 +974,24 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (bmp_info.compression == BI_RLE4) + bmp_info.bits_per_pixel<<=1; +- bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); +- length=(size_t) bytes_per_line*image->rows; ++ extent=image->columns*bmp_info.bits_per_pixel; ++ bytes_per_line=4*((extent+31)/32); ++ if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ length=bytes_per_line*image->rows; + if ((MagickSizeType) (length/256) > blob_size) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ extent=MagickMax(bytes_per_line,image->columns+1UL); ++ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) || ++ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse)) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels)); ++ if (pixel_info == (MemoryInfo *) NULL) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + if ((bmp_info.compression == BI_RGB) || + (bmp_info.compression == BI_BITFIELDS)) + { +- pixel_info=AcquireVirtualMemory(image->rows, +- MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels)); +- if (pixel_info == (MemoryInfo *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +- pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + if (image->debug != MagickFalse) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Reading pixels (%.20g bytes)",(double) length); +@@ -996,11 +1008,6 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Convert run-length encoded raster pixels. + */ +- pixel_info=AcquireVirtualMemory(image->rows, +- MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels)); +- if (pixel_info == (MemoryInfo *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +- pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + status=DecodeImage(image,bmp_info.compression,pixels, + image->columns*image->rows); + if (status == MagickFalse) +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb index e9b125e71f..e1519b13fa 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb @@ -29,6 +29,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://0004-ImageMagick-Fix-CVE-2025-55005.patch \ file://0005-ImageMagick-Fix-CVE-2025-53019.patch \ file://0006-ImageMagick-Fix-CVE-2025-55004.patch \ + file://0007-ImageMagick-Fix-CVE-2025-57803.patch \ " SRCREV = "35b4991eb0939a327f3489988c366e21068b0178" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121938): https://lists.openembedded.org/g/openembedded-devel/message/121938 Mute This Topic: https://lists.openembedded.org/mt/116392318/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
