ImageMagick: Fix CVE-2025-57803

Backport the fix for CVE-2025-57803

Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/61f444e5457e4e506c73f18460133c80c235ebb6]

Add below patch to fix
0007-ImageMagick-Fix-CVE-2025-57803.patch

Add below support patch to fix
0007-ImageMagick-Add-support-patch-to-fix-CVE-2025-57803.patch

Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Add-support-patch-to-fix-CVE-2025-57803.patch

@@ -0,0 +1,58 @@
+From 558a3a71c2b107483d8e88cd2d20242358b6633d Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Fri, 5 Dec 2025 13:43:17 +0530
+Subject: [PATCH 1/1] ImageMagick: Add support patch to fix CVE-2025-57803
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/61f444e5457e4e506c73f18460133c80c235ebb6]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ coders/bmp.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index a46448a95..703ad0483 100644
+--- a/coders/bmp.c
++++ b/coders/bmp.c
+@@ -968,18 +968,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (bmp_info.compression == BI_RLE4)
+       bmp_info.bits_per_pixel<<=1;
+-    bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
++    bytes_per_line=image->columns*(4*(bmp_info.bits_per_pixel+31)/32);
+     length=(size_t) bytes_per_line*image->rows;
+     if ((MagickSizeType) (length/256) > blob_size)
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
++    pixel_info=AcquireVirtualMemory(image->rows,
++      MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
++    if (pixel_info == (MemoryInfo *) NULL)
++      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++    pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+     if ((bmp_info.compression == BI_RGB) ||
+         (bmp_info.compression == BI_BITFIELDS))
+       {
+-        pixel_info=AcquireVirtualMemory(image->rows,
+-          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+-        if (pixel_info == (MemoryInfo *) NULL)
+-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+         if (image->debug != MagickFalse)
+           (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+             "  Reading pixels (%.20g bytes)",(double) length);
+@@ -996,11 +996,6 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         /*
+           Convert run-length encoded raster pixels.
+         */
+-        pixel_info=AcquireVirtualMemory(image->rows,
+-          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+-        if (pixel_info == (MemoryInfo *) NULL)
+-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+         status=DecodeImage(image,bmp_info.compression,pixels,
+           image->columns*image->rows);
+         if (status == MagickFalse)
+-- 
+2.34.1
+

meta-oe/recipes-support/imagemagick/files/0007-ImageMagick-Fix-CVE-2025-57803.patch

@@ -0,0 +1,65 @@
+From 9624a36f5c77d81cfdce20d0978850fa0db1543c Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Thu, 23 Oct 2025 23:41:32 +0530
+Subject: [PATCH 07/18] ImageMagick: Fix CVE-2025-57803
+
+CVE: CVE-2025-57803
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7.patch]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ coders/bmp.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index a46448a95..beff10bb5 100644
+--- a/coders/bmp.c
++++ b/coders/bmp.c
+@@ -506,6 +506,10 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length)
+ %    o exception: return any errors or warnings in this structure.
+ %
+ */
++static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
++{
++  return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
++}
+
+ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+@@ -546,6 +550,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   size_t
+     bit,
+     bytes_per_line,
++    extent,
+     length;
+
+   ssize_t
+@@ -968,12 +973,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     if (bmp_info.compression == BI_RLE4)
+       bmp_info.bits_per_pixel<<=1;
+-    bytes_per_line=image->columns*(4*(bmp_info.bits_per_pixel+31)/32);
+-    length=(size_t) bytes_per_line*image->rows;
++    extent=image->columns*bmp_info.bits_per_pixel;
++    bytes_per_line=4*((extent+31)/32);
++    if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
++      ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
++    length=bytes_per_line*image->rows;
+     if ((MagickSizeType) (length/256) > blob_size)
+       ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+-    pixel_info=AcquireVirtualMemory(image->rows,
+-      MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
++    extent=MagickMax(bytes_per_line,image->columns+1UL);
++    if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) ||
++        (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse))
++      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++    pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels));
+     if (pixel_info == (MemoryInfo *) NULL)
+       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+     pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+-- 
+2.34.1
+

meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb

@@ -32,6 +32,8 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
     file://0004-ImageMagick-Fix-CVE-2025-55005.patch \
     file://0005-ImageMagick-Fix-CVE-2025-53019.patch \
     file://0006-ImageMagick-Fix-CVE-2025-55004.patch \
+    file://0007-ImageMagick-Add-support-patch-to-fix-CVE-2025-57803.patch \
+    file://0007-ImageMagick-Fix-CVE-2025-57803.patch \
 "
 
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"