ImageMagick: Fix CVE-2025-57803

Backport the fix for CVE-2025-57803 Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/61f444e5457e4e506c73f18460133c80c235ebb6] Add below patch to fix 0007-ImageMagick-Fix-CVE-2025-57803.patch Add below support patch to fix 0007-ImageMagick-Add-support-patch-to-fix-CVE-2025-57803.patch Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-12-12 20:29:43 +05:30
parent 222e1b635e
commit f978eae8fc
3 changed files with 125 additions and 0 deletions
@@ -0,0 +1,58 @@
+From 558a3a71c2b107483d8e88cd2d20242358b6633d Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Fri, 5 Dec 2025 13:43:17 +0530
+Subject: [PATCH 1/1] ImageMagick: Add support patch to fix CVE-2025-57803
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/61f444e5457e4e506c73f18460133c80c235ebb6]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ coders/bmp.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index a46448a95..703ad0483 100644
+--- a/coders/bmp.c
+++ b/coders/bmp.c
+@@ -968,18 +968,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (bmp_info.compression == BI_RLE4)
+       bmp_info.bits_per_pixel<<=1;
+-    bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
+    bytes_per_line=image->columns*(4*(bmp_info.bits_per_pixel+31)/32);
+     length=(size_t) bytes_per_line*image->rows;
+     if ((MagickSizeType) (length/256) > blob_size)
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+    pixel_info=AcquireVirtualMemory(image->rows,
+      MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+    if (pixel_info == (MemoryInfo *) NULL)
+      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+    pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+     if ((bmp_info.compression == BI_RGB) ||
+         (bmp_info.compression == BI_BITFIELDS))
+       {
+-        pixel_info=AcquireVirtualMemory(image->rows,
+-          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+-        if (pixel_info == (MemoryInfo *) NULL)
+-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+         if (image->debug != MagickFalse)
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+             "  Reading pixels (%.20g bytes)",(double) length);
+@@ -996,11 +996,6 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         /*
+           Convert run-length encoded raster pixels.
+         */
+-        pixel_info=AcquireVirtualMemory(image->rows,
+-          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+-        if (pixel_info == (MemoryInfo *) NULL)
+-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+         status=DecodeImage(image,bmp_info.compression,pixels,
+           image->columns*image->rows);
+         if (status == MagickFalse)
+-- 
+2.34.1
+
@@ -0,0 +1,65 @@
+From 9624a36f5c77d81cfdce20d0978850fa0db1543c Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Thu, 23 Oct 2025 23:41:32 +0530
+Subject: [PATCH 07/18] ImageMagick: Fix CVE-2025-57803
+
+CVE: CVE-2025-57803
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7.patch]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ coders/bmp.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index a46448a95..beff10bb5 100644
+--- a/coders/bmp.c
+++ b/coders/bmp.c
+@@ -506,6 +506,10 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length)
+ %    o exception: return any errors or warnings in this structure.
+ %
+ */
+static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
+{
+  return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
+}
+
+ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+@@ -546,6 +550,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   size_t
+     bit,
+     bytes_per_line,
+    extent,
+     length;
+
+   ssize_t
+@@ -968,12 +973,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (bmp_info.compression == BI_RLE4)
+       bmp_info.bits_per_pixel<<=1;
+-    bytes_per_line=image->columns*(4*(bmp_info.bits_per_pixel+31)/32);
+-    length=(size_t) bytes_per_line*image->rows;
+    extent=image->columns*bmp_info.bits_per_pixel;
+    bytes_per_line=4*((extent+31)/32);
+    if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+    length=bytes_per_line*image->rows;
+     if ((MagickSizeType) (length/256) > blob_size)
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+-    pixel_info=AcquireVirtualMemory(image->rows,
+-      MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+    extent=MagickMax(bytes_per_line,image->columns+1UL);
+    if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
+        (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
+      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+    pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
+     if (pixel_info == (MemoryInfo *) NULL)
+       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+     pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+-- 
+2.34.1
+
@@ -32,6 +32,8 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
    file://0004-ImageMagick-Fix-CVE-2025-55005.patch \
    file://0005-ImageMagick-Fix-CVE-2025-53019.patch \
    file://0006-ImageMagick-Fix-CVE-2025-55004.patch \
+    file://0007-ImageMagick-Add-support-patch-to-fix-CVE-2025-57803.patch \
+    file://0007-ImageMagick-Fix-CVE-2025-57803.patch \
 "

 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"