From 4aea1a32d60f171c6c037468962354ec49df63af Mon Sep 17 00:00:00 2001
From: Shaik Moin <careers.myinfo@gmail.com>
Date: Thu, 16 Apr 2026 16:39:39 +0530
Subject: [PATCH] imagemagick: Fix CVE-2025-62594

Backport the fix for CVE-2025-62594

Changes are made with 7.0.10 version code and only required and
compatible code is taken into patch.
image-private.h:-
Integrated only the essential and compatible updates from the 7.0.10
upstream patch. Specifically, the changes related to the Macro's and
CastDoubleToPtrdiffT were adopted, as these updates are directly tied to
the vulnerability fix. The remaining modifications in this file were
excluded because they do not affect the execution paths relevant to our
codebase.
composite.c:-
This file was intentionally left unchanged. The upstream patch contains
only a formatting update (a trailing space adjustment) with no
functional relevance or security impact, so the change was not included
in our patch.
enhance.c:-
All functional hunks from the upstream vulnerability fix were applied.
These modifications directly contribute to addressing the CVE by
strengthening bounds handling and improving input validation in the
enhancement routines.

Signed-off-by: Shaik Moin <careers.myinfo@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../imagemagick/files/CVE-2025-62594.patch    | 197 ++++++++++++++++++
 .../imagemagick/imagemagick_7.0.10.bb         |   1 +
 2 files changed, 198 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2025-62594.patch

diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2025-62594.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2025-62594.patch
new file mode 100644
index 0000000000..66670a61df
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2025-62594.patch
@@ -0,0 +1,197 @@
+From 766d3f6eb8a536dd33ce9b43df361e13e34bcf45 Mon Sep 17 00:00:00 2001
+From: Shaik Moin <careers.myinfo@gmail.com>
+Date: Tue, 7 Apr 2026 15:31:24 +0530
+Subject: [PATCH] imagemagick: Fix CVE-2025-62594
+
+ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
+Reference - https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp
+
+CVE: CVE-2025-62594
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129]
+
+Changes are made with 7.0.10 version code and only required and
+compatible code is taken into patch.
+In image-private.h file, only couple of "MACRO's" and
+"CastDoubleToPtrdiffT" is taken as other functions are not effecting our
+current code.
+Composite.c file - is not taken in consideration as the change is for a
+space " ".
+Enhance.c file - All hunks are taken in our current code.
+
+Signed-off-by: Cristy <urban-warrior@imagemagick.org>
+Signed-off-by: Shaik Moin <careers.myinfo@gmail.com>
+---
+ MagickCore/enhance.c       | 45 ++++++++++++++++++++------------------
+ MagickCore/image-private.h | 26 ++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 21 deletions(-)
+
+diff --git a/MagickCore/enhance.c b/MagickCore/enhance.c
+index 23134d5..54b2695 100644
+--- a/MagickCore/enhance.c
++++ b/MagickCore/enhance.c
+@@ -69,6 +69,7 @@
+ #include "MagickCore/option.h"
+ #include "MagickCore/pixel.h"
+ #include "MagickCore/pixel-accessor.h"
++#include "MagickCore/pixel-private.h"
+ #include "MagickCore/quantum.h"
+ #include "MagickCore/quantum-private.h"
+ #include "MagickCore/resample.h"
+@@ -320,11 +321,8 @@ static void ClipCLAHEHistogram(const double clip_limit,const size_t number_bins,
+   */
+   cumulative_excess=0;
+   for (i=0; i < (ssize_t) number_bins; i++)
+-  {
+-    excess=(ssize_t) histogram[i]-(ssize_t) clip_limit;
+-    if (excess > 0)
+-      cumulative_excess+=excess;
+-  }
++    if (histogram[i] > clip_limit)
++      cumulative_excess+=(ssize_t) (histogram[i]-clip_limit);
+   /*
+     Clip histogram and redistribute excess pixels across all bins.
+   */
+@@ -483,9 +481,6 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+   MemoryInfo
+     *tile_cache;
+ 
+-  unsigned short
+-    *p;
+-
+   size_t
+     limit,
+     *tiles;
+@@ -494,14 +489,15 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+     y;
+ 
+   unsigned short
+-    *lut;
++    *lut,
++    *p;
+ 
+   /*
+     Constrast limited adapted histogram equalization.
+   */
+   if (clip_limit == 1.0)
+     return(MagickTrue);
+-  tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,
++  tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,(size_t)
+     clahe_info->y*sizeof(*tiles));
+   if (tile_cache == (MemoryInfo *) NULL)
+     return(MagickFalse);
+@@ -512,7 +508,8 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+       return(MagickFalse);
+     }
+   tiles=(size_t *) GetVirtualMemoryBlob(tile_cache);
+-  limit=(size_t) (clip_limit*(tile_info->width*tile_info->height)/number_bins);
++  limit=(size_t) (clip_limit*((double) tile_info->width*tile_info->height)/
++    number_bins);
+   if (limit < 1UL)
+     limit=1UL;
+   /*
+@@ -537,7 +534,7 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+         tile_info->height,histogram);
+       p+=tile_info->width;
+     }
+-    p+=clahe_info->width*(tile_info->height-1);
++    p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile_info->height-1));
+   }
+   /*
+     Interpolate greylevel mappings to get CLAHE image.
+@@ -578,6 +575,11 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+         }
+     for (x=0; x <= (ssize_t) clahe_info->x; x++)
+     {
++      double
++        Q11,
++        Q12,
++        Q21,
++        Q22;
+       tile.width=tile_info->width;
+       tile.x=x-1;
+       offset.x=tile.x+1;
+@@ -600,15 +602,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+             tile.x=clahe_info->x-1;
+             offset.x=tile.x;
+           }
+-      InterpolateCLAHE(clahe_info,
+-        tiles+(number_bins*(tile.y*clahe_info->x+tile.x)),     /* Q12 */
+-        tiles+(number_bins*(tile.y*clahe_info->x+offset.x)),   /* Q22 */
+-        tiles+(number_bins*(offset.y*clahe_info->x+tile.x)),   /* Q11 */
+-        tiles+(number_bins*(offset.y*clahe_info->x+offset.x)), /* Q21 */
+-        &tile,lut,p);
++      Q12=(double) number_bins*(tile.y*clahe_info->x+tile.x);
++      Q22=(double) number_bins*(tile.y*clahe_info->x+offset.x);
++      Q11=(double) number_bins*(offset.y*clahe_info->x+tile.x);
++      Q21=(double) number_bins*(offset.y*clahe_info->x+offset.x);
++      InterpolateCLAHE(clahe_info,tiles+CastDoubleToPtrdiffT(Q12),
++        tiles+CastDoubleToPtrdiffT(Q22),tiles+CastDoubleToPtrdiffT(Q11),
++        tiles+CastDoubleToPtrdiffT(Q21),&tile,lut,p);
+       p+=tile.width;
+     }
+-    p+=clahe_info->width*(tile.height-1);
++    p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile.height-1));
+   }
+   lut=(unsigned short *) RelinquishMagickMemory(lut);
+   tile_cache=RelinquishVirtualMemory(tile_cache);
+@@ -661,10 +664,10 @@ MagickExport MagickBooleanType CLAHEImage(Image *image,const size_t width,
+     (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
+   range_info.min=0;
+   range_info.max=NumberCLAHEGrays-1;
+-  tile_info.width=width;
++  tile_info.width=MagickMax(width,2);
+   if (tile_info.width == 0)
+     tile_info.width=image->columns >> 3;
+-  tile_info.height=height;
++  tile_info.height=MagickMax(height,2);
+   if (tile_info.height == 0)
+     tile_info.height=image->rows >> 3;
+   tile_info.x=0;
+diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h
+index 8ce0208..eaed34f 100644
+--- a/MagickCore/image-private.h
++++ b/MagickCore/image-private.h
+@@ -38,6 +38,8 @@ extern "C" {
+ #define MagickPHI    1.61803398874989484820458683436563811772030917980576
+ #define MagickPI2    1.57079632679489661923132169163975144209858469968755
+ #define MagickPI  3.14159265358979323846264338327950288419716939937510
++#define MAGICK_PTRDIFF_MAX  (PTRDIFF_MAX)
++#define MAGICK_PTRDIFF_MIN  (-PTRDIFF_MAX-1)
+ #define MagickSQ1_2  0.70710678118654752440084436210484903928483593768847
+ #define MagickSQ2    1.41421356237309504880168872420969807856967187537695
+ #define MagickSQ2PI  2.50662827463100024161235523934010416269302368164062
+@@ -53,6 +55,30 @@ extern "C" {
+ #define UndefinedCompressionQuality  0UL
+ #define UndefinedTicksPerSecond  100L
+ 
++static inline ptrdiff_t CastDoubleToPtrdiffT(const double x)
++{
++  double
++    value;
++
++  if (IsNaN(x) != 0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  value=(x < 0.0) ? ceil(x) : floor(x);
++  if (value < ((double) MAGICK_PTRDIFF_MIN))
++    {
++      errno=ERANGE;
++      return(MAGICK_PTRDIFF_MIN);
++    }
++  if (value > ((double) MAGICK_PTRDIFF_MAX))
++    {
++      errno=ERANGE;
++      return(MAGICK_PTRDIFF_MAX);
++    }
++  return((ptrdiff_t) value);
++}
++
+ static inline ssize_t CastDoubleToLong(const double x)
+ {
+   if (IsNaN(x) != 0)
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index 9bc857b715..d6e1c647c7 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -54,6 +54,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
     file://CVE-2026-22770.patch \
     file://CVE-2026-23874.patch \
     file://CVE-2026-23876.patch \
+    file://CVE-2025-62594.patch \
 "
 
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"