diff --git a/ImageMagick-CVE-2025-57803.patch b/ImageMagick-CVE-2025-57803.patch new file mode 100644 index 0000000000000000000000000000000000000000..acf3a21ae599f76dfdef99c0a00281da555eaa18 --- /dev/null +++ b/ImageMagick-CVE-2025-57803.patch @@ -0,0 +1,62 @@ +From f8435f879d03765724ef2ecfa102fb1abbfe7224 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Fri, 5 Dec 2025 10:48:50 +0800 +Subject: [PATCH] fix cve CVE-2025-57803 + +--- + coders/bmp.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index 13ccefc..c25e25b 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -508,6 +508,11 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length) + % + */ + ++static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y) ++{ ++ return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse); ++} ++ + static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + BMPInfo +@@ -547,6 +552,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + size_t + bit, + bytes_per_line, ++ extent, + length; + + ssize_t +@@ -970,15 +976,21 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (bmp_info.compression == BI_RLE4) + bmp_info.bits_per_pixel<<=1; +- bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); +- length=(size_t) bytes_per_line*image->rows; ++ extent=image->columns*bmp_info.bits_per_pixel; ++ bytes_per_line=4*((extent+31)/32); ++ if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ length=bytes_per_line*image->rows; + if ((MagickSizeType) (length/256) > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + if ((bmp_info.compression == BI_RGB) || + (bmp_info.compression == BI_BITFIELDS)) + { +- pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, +- image->columns+256UL)*sizeof(*pixels)); ++ extent=MagickMax(bytes_per_line,image->columns+1UL); ++ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) || ++ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse)) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); +-- +2.39.3 + diff --git a/ImageMagick.spec b/ImageMagick.spec index 5fed214f0d0a2911ae43156aeda8718095f4ec73..97540ac99c4e04ab52f578754a5de0799a1f37bf 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -3,7 +3,7 @@ Name: ImageMagick Version: %{VER}.%{Patchlevel} -Release: 7%{?dist} +Release: 9%{?dist} Summary: An X application for displaying and manipulating images Group: Applications/Multimedia License: ImageMagick @@ -15,6 +15,7 @@ Patch5: ImageMagick-freeze-svg-empty-class.patch Patch6: ImageMagick-cve-2020-29599.patch Patch7: ImageMagick-bz2005800-sun-raster.patch Patch8: ImageMagick-cve-2021-40211.patch +Patch9: ImageMagick-CVE-2025-57803.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: bzip2-devel, freetype-devel, libjpeg-devel, libpng-devel @@ -136,6 +137,7 @@ cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples %patch6 -p1 -b .cve-2020-29599 %patch7 -p1 -b .bz2005800-sun-raster %patch8 -p1 -b .cve-2021-40211 +%patch9 -p1 -b .CVE-2025-57803 %build %configure --enable-shared \ @@ -305,6 +307,9 @@ rm -rf %{buildroot} %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt %changelog +* Wed Dec 03 2025 zhuhongbo - 6.9.10.68-9 +- cve: fix cve CVE-2025-57803 + * Mon Sep 18 2023 Jan Horak - 6.9.10.68-7 - Added fix for CVE-2021-40211