Version in base suite: 6.9.11.60+dfsg-1.6+deb12u5 Version in overlay suite: 6.9.11.60+dfsg-1.6+deb12u6 Base version: imagemagick_6.9.11.60+dfsg-1.6+deb12u6 Target version: imagemagick_6.9.11.60+dfsg-1.6+deb12u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u7.dsc changelog | 129 + patches/CVE-2026-24481.patch | 26 patches/CVE-2026-24484_1.patch | 29 patches/CVE-2026-24484_2.patch | 30 patches/CVE-2026-24485.patch | 151 ++ patches/CVE-2026-25576_1.patch | 683 +++++++++ patches/CVE-2026-25576_2.patch | 588 ++++++++ patches/CVE-2026-25638.patch | 35 patches/CVE-2026-25795.patch | 28 patches/CVE-2026-25796.patch | 39 patches/CVE-2026-25797_1_post.patch | 52 patches/CVE-2026-25797_2.patch | 153 ++ patches/CVE-2026-25797_CVE-2026-25965.patch | 732 ++++++++++ patches/CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch | 732 ++++++++++ patches/CVE-2026-25798.patch | 80 + patches/CVE-2026-25799.patch | 37 patches/CVE-2026-25897.patch | 37 patches/CVE-2026-25898_1.patch | 32 patches/CVE-2026-25898_2.patch | 32 patches/CVE-2026-25970.patch | 155 ++ patches/CVE-2026-25983.patch | 78 + patches/CVE-2026-25986.patch | 37 patches/CVE-2026-25987.patch | 28 patches/CVE-2026-25988.patch | 45 patches/CVE-2026-25989.patch | 52 patches/CVE-2026-25989_pre1.patch | 109 + patches/CVE-2026-25989_pre2.patch | 85 + patches/CVE-2026-26066.patch | 47 patches/CVE-2026-26283.patch | 36 patches/CVE-2026-27798.patch | 29 patches/CVE-2026-27799.patch | 28 patches/series | 29 32 files changed, 4383 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgvfszw94/imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgvfszw94/imagemagick_6.9.11.60+dfsg-1.6+deb12u7.dsc: no acceptable signature found diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2026-01-21 21:54:51.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2026-03-06 16:54:58.000000000 +0000 @@ -1,3 +1,132 @@ +imagemagick (8:6.9.11.60+dfsg-1.6+deb12u7) bookworm-security; urgency=high + + * Fix CVE-2026-24481: + A heap information disclosure vulnerability exists + in ImageMagick's PSD (Adobe Photoshop) format handler. + When processing a maliciously crafted PSD file containing + ZIP-compressed layer data that decompresses to less than + the expected size, uninitialized heap memory is leaked + into the output image. + * Fix CVE-2026-24484: + Magick fails to check for multi-layer nested mvg + conversions to svg, leading to DoS. + * Fix CVE-2026-24485: + When a PCD file does not contain a valid Sync marker, the + DecodeImage() function becomes trapped in an infinite loop while + searching for the Sync marker, causing the program to become + unresponsive and continuously consume CPU resources, ultimately + leading to system resource exhaustion and Denial of Service + (DoS) + * Fix CVE-2026-25576: + A heap buffer over-read vulnerability exists in multiple + raw image format handles. The vulnerability occurs when + processing images with -extract dimensions larger than + -size dimensions, causing out-of-bounds memory reads + from a heap-allocated buffer. + * Fix CVE-2026-25638: + A memory leak exists in `coders/msl.c`. In the `WriteMSLImage` + function of the `msl.c` file, resources are allocated. But the + function returns early without releasing these allocated resources. + * Fix CVE-2026-25795: + `ReadSFWImage()` (`coders/sfw.c`), when temporary file + creation fails, `read_info` is destroyed before its `filename` + member is accessed, causing a NULL pointer dereference and crash. + * Fix CVE-2026-25796: + In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image + object is not freed on three early-return paths, resulting in a + definite memory leak (~13.5KB+ per invocation) that can be exploited + for denial of service. + * Fix CVE-2026-25797: + The ps coders, responsible for writing PostScript files, fails to + sanitize the input before writing it into the PostScript header. An + attacker can provide a malicious file and inject arbitrary PostScript + code. When the resulting file is processed by a printer or a viewer + (like Ghostscript), the injected code is interpreted and executed. The + html encoder does not properly escape strings that are written to in + the html document. An attacker can provide a malicious file and + injection arbitrary html code. + * Fix CVE-2026-25798: + A NULL pointer dereference in ClonePixelCacheRepository allows a + remote attacker to crash any application linked against ImageMagick by + supplying a crafted image file, resulting in denial of service. + * Fix CVE-2026-25799: + A logic error in YUV sampling factor validation allows an invalid + sampling factor to bypass checks and trigger a division-by-zero during + image loading, resulting in a reliable denial-of-service. + * Fix CVE-2026-25897: + An Integer Overflow vulnerability exists in the sun decoder. On 32-bit + systems/builds, a carefully crafted image can lead to an out of bounds + heap write. + * Fix CVE-2026-25898: + The UIL and XPM image encoder do not validate the + pixel index value returned by `GetPixelIndex()` before using it as an + array subscript. In HDRI builds, `Quantum` is a floating-point type, + so pixel index values can be negative. An attacker can craft an image + with negative pixel index values to trigger a global buffer overflow + read during conversion, leading to information disclosure or a process + crash. + * Fix CVE-2026-25965: + ImageMagick’s path security policy is enforced on the raw filename + string before the filesystem resolves it. As a result, a policy rule + such as /etc/* can be bypassed by a path traversal. The OS resolves + the traversal and opens the sensitive file, but the policy matcher + only sees the unnormalized path and therefore allows the read. This + enables local file disclosure (LFI) even when policy-secure.xml is + applied. + * Fix CVE-2026-25968: + A stack buffer overflow occurs when processing the an attribute + in msl.c. A long value overflows a fixed-size stack buffer, + leading to memory corruption + * Fix CVE-2026-25970: + A signed integer overflow vulnerability in ImageMagick's SIXEL decoder + allows an attacker to trigger memory corruption and denial of service + when processing a maliciously crafted SIXEL image file. The + vulnerability occurs during buffer reallocation operations where + pointer arithmetic using signed 32-bit integers overflows. + * Fix CVE-2026-25982: + A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` + module. When processing DICOM files with a specific configuration, the + decoder loop incorrectly reads bytes per iteration. This causes the + function to read past the end of the allocated buffer, potentially + leading to a Denial of Service (crash) or Information Disclosure + (leaking heap memory into the image). + * Fix CVE-2026-25983: + A crafted MSL script triggers a heap-use-after-free. The operation + element handler replaces and frees the image while the parser + continues reading from it, leading to a UAF in ReadBlobString during + further parsing. + * Fix CVE-2026-25986: + A heap buffer overflow write vulnerability exists in ReadYUVImage() + (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. + * Fix CVE-2026-25987: + A heap buffer over-read vulnerability exists in the MAP image decoder when + processing crafted MAP files, potentially leading to crashes or + unintended memory disclosure during image decoding. + * Fix CVE-2026-25988: + Sometimes msl.c fails to update the stack index, so an image is + stored in the wrong slot and never freed on error, causing leaks + * Fix CVE-2026-25989: + A crafted SVG file can cause a denial of service. An off-by-one boundary + check (`>` instead of `>=`) that allows bypass the guard and reach an + undefined `(size_t)` cast. + * Fix CVE-2026-26066: + A crafted profile contain invalid IPTC data may cause an infinite + loop when writing it with `IPTCTEXT` + * Fix CVE-2026-26283: + A `continue` statement in the JPEG extent binary search loop + in the jpeg encoder causes an infinite loop when writing persistently fails + * Fix CVE-2026-27798: + A heap buffer over-read vulnerability occurs when processing an image + with small dimension using the `-wavelet-denoise` operator + * Fix CVE-2026-27799: + A heap buffer over-read vulnerability exists in the DJVU image format + handler. The vulnerability occurs due to integer truncation when + calculating the stride (row size) for pixel buffer allocation. The + stride calculation overflows a 32-bit signed integer, resulting in an + out-of-bounds memory reads. + + -- Bastien Roucariès Fri, 06 Mar 2026 17:54:58 +0100 + imagemagick (8:6.9.11.60+dfsg-1.6+deb12u6) bookworm-security; urgency=high * Fix CVE-2026-23874 (Closes: #1126075) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24481.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24481.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24481.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24481.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Sun, 25 Jan 2026 19:35:35 +0100 +Subject: Initialize the pixels with empty values to prevent possible heap + information disclosure + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36) + +(cherry picked from commit 38872ec2a70084813883ea152f18497911823c18) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/38872ec2a70084813883ea152f18497911823c18 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36 +--- + coders/psd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/psd.c b/coders/psd.c +index 5c70c11..e6ed6d7 100644 +--- a/coders/psd.c ++++ b/coders/psd.c +@@ -1252,6 +1252,7 @@ static MagickBooleanType ReadPSDChannelZip(Image *image,const size_t channels, + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", + image->filename); + } ++ memset(pixels,0,count*sizeof(*pixels)); + if (ReadBlob(image,compact_size,compact_pixels) != (ssize_t) compact_size) + { + pixels=(unsigned char *) RelinquishMagickMemory(pixels); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_1.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,29 @@ +From: Cristy +Date: Fri, 23 Jan 2026 20:27:22 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv + +Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS + +(cherry picked from commit c47b28f700fc454e4f7c16e197a55149120697ea) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/c47b28f700fc454e4f7c16e197a55149120697ea +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv +--- + coders/svg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/coders/svg.c b/coders/svg.c +index 93438bb..011417d 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -4679,6 +4679,9 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image) + if (LocaleCompare("graphic-context",token) == 0) + { + n++; ++ if (n == MagickMaxRecursionDepth) ++ ThrowWriterException(DrawError, ++ "VectorGraphicsNestedTooDeeply"); + if (active) + { + AffineToTransform(image,&affine); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24484_2.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,30 @@ +From: Cristy +Date: Sat, 24 Jan 2026 09:07:02 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv + +Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS + +(cherry picked from commit 151dcb4f0246d1285cbd756a1f32797894ad5da5) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv +origin: https://github.com/ImageMagick/ImageMagick6/commit/151dcb4f0246d1285cbd756a1f32797894ad5da5 +--- + magick/draw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/magick/draw.c b/magick/draw.c +index 950ed8a..72ad60c 100644 +--- a/magick/draw.c ++++ b/magick/draw.c +@@ -3427,6 +3427,10 @@ static MagickBooleanType RenderMVGContent(Image *image, + (void) GetNextToken(q,&q,extent,token); + (void) CloneString(&graphic_context[n]->id,token); + } ++ if (n > MagickMaxRecursionDepth) ++ (void) ThrowMagickException(&image->exception, ++ GetMagickModule(),DrawError,"VectorGraphicsNestedTooDeeply", ++ "`%s'",image->filename); + break; + } + if (LocaleCompare("mask",token) == 0) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24485.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24485.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24485.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-24485.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,151 @@ +From: Cristy +Date: Thu, 22 Jan 2026 19:32:16 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 + +When a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service + +(cherry picked from commit 75904c39049ec0b8d81eb7131bb05c0b23ad3189) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/75904c39049ec0b8d81eb7131bb05c0b23ad3189 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 +--- + coders/pcd.c | 61 ++++++++++++++++++++++++++++++++++++------------------------ + 1 file changed, 37 insertions(+), 24 deletions(-) + +diff --git a/coders/pcd.c b/coders/pcd.c +index f060e9b..730aa69 100644 +--- a/coders/pcd.c ++++ b/coders/pcd.c +@@ -117,19 +117,34 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + #define IsSync(sum) ((sum & 0xffffff00UL) == 0xfffffe00UL) + #define PCDGetBits(n) \ + { \ ++ ssize_t \ ++ byte_count = 0x800; \ ++ \ + sum=(sum << n) & 0xffffffff; \ + bits-=n; \ + while (bits <= 24) \ + { \ + if (p >= (buffer+0x800)) \ + { \ +- count=ReadBlob(image,0x800,buffer); \ ++ byte_count=ReadBlob(image,0x800,buffer); \ ++ if (byte_count != 0x800) \ ++ { \ ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), \ ++ CorruptImageWarning,"CorruptImage","`%s'",image->filename); \ ++ break; \ ++ } \ + p=buffer; \ + } \ + sum|=(((unsigned int) (*p)) << (24-bits)); \ + bits+=8; \ + p++; \ + } \ ++ if (byte_count != 0x800) \ ++ { \ ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), \ ++ CorruptImageWarning,"CorruptImage","`%s'",image->filename); \ ++ break; \ ++ } \ + } + + typedef struct PCDTable +@@ -148,17 +163,9 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + PCDTable + *pcd_table[3]; + +- ssize_t +- i, +- j; +- + PCDTable + *r; + +- unsigned char +- *p, +- *q; +- + size_t + bits, + length, +@@ -169,10 +176,15 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + + ssize_t + count, ++ i, ++ j, + quantum; + + unsigned char +- *buffer; ++ *buffer, ++ *p, ++ *q; ++ + + /* + Initialize Huffman tables. +@@ -502,19 +514,11 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) + MemoryInfo + *pixel_info; + +- ssize_t +- i, +- y; +- + PixelPacket + *q; + +- unsigned char +- *c1, +- *c2, +- *yy; +- + size_t ++ extent, + height, + number_images, + number_pixels, +@@ -524,13 +528,18 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) + + ssize_t + count, +- x; ++ i, ++ x, ++ y; + + unsigned char ++ *c1, ++ *c2, + *chroma1, + *chroma2, + *header, +- *luma; ++ *luma, ++ *yy; + + unsigned int + overview; +@@ -628,11 +637,15 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Allocate luma and chroma memory. + */ +- pixel_info=AcquireVirtualMemory(image->columns+1UL,30*image->rows* +- sizeof(*luma)); ++ if (HeapOverflowSanityCheckGetSize(image->columns+1UL,image->rows,&extent) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ if (HeapOverflowSanityCheckGetSize(extent,10,&number_pixels) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ if (HeapOverflowSanityCheckGetSize(extent,30,&extent) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ pixel_info=AcquireVirtualMemory(extent,sizeof(*luma)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowPCDException(ResourceLimitError,"MemoryAllocationFailed"); +- number_pixels=(image->columns+1UL)*10*image->rows*sizeof(*luma); + luma=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + chroma1=(unsigned char *) GetVirtualMemoryBlob(pixel_info)+number_pixels; + chroma2=(unsigned char *) GetVirtualMemoryBlob(pixel_info)+2*number_pixels; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_1.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,683 @@ +From: Dirk Lemstra +Date: Sun, 25 Jan 2026 19:26:02 +0100 +Subject: No longer allow mutations on the first image of the list + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jv4p-gjwq-9r2j + +(cherry picked from commit 95db8ba0f445a798e823a86acdebe97de73de449) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/95db8ba0f445a798e823a86acdebe97de73de449 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jv4p-gjwq-9r2j +--- + coders/msl.c | 148 +++++++++++++++++++++++++++++------------------------------ + 1 file changed, 74 insertions(+), 74 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 2610fe2..6a2f2a2 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -697,7 +697,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Add noise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -771,7 +771,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Annotate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1107,7 +1107,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + MagickBooleanType + stack; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1171,7 +1171,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Blur image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1266,7 +1266,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Border image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1387,7 +1387,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Add noise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1451,7 +1451,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + double radius = 0.0, + sigma = 1.0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1526,7 +1526,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Chop image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1633,7 +1633,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Color floodfill image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1764,7 +1764,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Composite image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2106,7 +2106,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Contrast image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2159,7 +2159,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Crop image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2261,7 +2261,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Cycle-colormap image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2314,7 +2314,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Despeckle image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2340,7 +2340,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare((const char *) tag,"display") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2375,7 +2375,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Annotate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2737,7 +2737,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Edge image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2804,7 +2804,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Emboss image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2883,7 +2883,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Enhance image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2912,7 +2912,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Equalize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2946,7 +2946,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare((const char *) tag, "flatten") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2977,7 +2977,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Flip image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3009,7 +3009,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Flop image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3044,7 +3044,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Frame image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3195,7 +3195,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Gamma image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3313,7 +3313,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag,"get") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3442,7 +3442,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Implode image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3513,7 +3513,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + double + levelBlack = 0, levelGamma = 1, levelWhite = QuantumRange; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3590,7 +3590,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Magnify image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3628,7 +3628,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Map image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3714,7 +3714,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Matte floodfill image. + */ + opacity=0.0; +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3840,7 +3840,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Median-filter image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3908,7 +3908,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Minify image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3942,7 +3942,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Modulate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4070,7 +4070,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Negate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4136,7 +4136,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Normalize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4192,7 +4192,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Oil-paint image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4260,7 +4260,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Opaque image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4364,7 +4364,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare((const char *) tag, "profile") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4477,7 +4477,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Quantize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4954,7 +4954,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Raise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5091,7 +5091,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Reduce-noise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5159,7 +5159,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + x=msl_info->image[n]->page.x; + y=msl_info->image[n]->page.y; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5286,7 +5286,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + x_resolution, + y_resolution; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5406,7 +5406,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Resize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5514,7 +5514,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Roll image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5593,7 +5593,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + height=msl_info->image[n]->rows; + x = y = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5675,7 +5675,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Rotate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5739,7 +5739,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* init the values */ + double degrees = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5804,7 +5804,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Sample image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5881,7 +5881,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Scale image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5961,7 +5961,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Segment image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6045,7 +6045,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag, "set") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -6212,7 +6212,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Shade image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6303,7 +6303,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Shear image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6402,7 +6402,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + double radius = 0.0, + sigma = 1.0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6474,7 +6474,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + width = height = 0; + x = y = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6565,7 +6565,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Shear image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6654,7 +6654,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Signature image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6686,7 +6686,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Solarize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6747,7 +6747,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Spread image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6811,7 +6811,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Image * + watermark = (Image*) NULL; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6878,7 +6878,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Image * + stereoImage = (Image*) NULL; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -6944,7 +6944,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Strip image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6974,7 +6974,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + index, + swap_index; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7039,7 +7039,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Swirl image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7103,7 +7103,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Sync image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7143,7 +7143,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Texture image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7197,7 +7197,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* init the values */ + double threshold = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -7244,7 +7244,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag, "transparent") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -7287,7 +7287,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag, "trim") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -7321,7 +7321,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare((const char *) tag,"write") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7410,7 +7410,7 @@ static void MSLEndElement(void *context,const xmlChar *tag) + { + if (LocaleCompare((const char *) tag,"comment") == 0 ) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7460,7 +7460,7 @@ static void MSLEndElement(void *context,const xmlChar *tag) + { + if (LocaleCompare((const char *) tag,"label") == 0 ) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25576_2.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,588 @@ +From: Dirk Lemstra +Date: Sun, 25 Jan 2026 19:32:52 +0100 +Subject: Fixed out of bounds read in multiple coders that read raw pixel data + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jv4p-gjwq-9r2j) + +(cherry picked from commit 44b3140f3414ebc02c5fa8b80551f7d33950a87a) + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/44b3140f3414ebc02c5fa8b80551f7d33950a87a +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jv4p-gjwq-9r2j +--- + coders/bgr.c | 22 ++++++++++++---------- + coders/cmyk.c | 26 ++++++++++++++------------ + coders/gray.c | 16 +++++++++------- + coders/raw.c | 4 +++- + coders/rgb.c | 22 ++++++++++++---------- + coders/ycbcr.c | 22 ++++++++++++---------- + 6 files changed, 62 insertions(+), 50 deletions(-) + +diff --git a/coders/bgr.c b/coders/bgr.c +index bc0c71f..4e4eb45 100644 +--- a/coders/bgr.c ++++ b/coders/bgr.c +@@ -127,6 +127,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -204,6 +205,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -264,7 +266,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + SetPixelGreen(q,GetPixelGreen(p)); +@@ -347,7 +349,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -443,7 +445,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -496,7 +498,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -549,7 +551,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -610,7 +612,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +@@ -702,7 +704,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -774,7 +776,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -846,7 +848,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -924,7 +926,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +diff --git a/coders/cmyk.c b/coders/cmyk.c +index f35bff9..8ef7da6 100644 +--- a/coders/cmyk.c ++++ b/coders/cmyk.c +@@ -126,6 +126,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -205,6 +206,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -275,7 +277,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + break; + canvas_indexes=GetVirtualIndexQueue(canvas_image); + indexes=GetAuthenticIndexQueue(image); +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + SetPixelGreen(q,GetPixelGreen(p)); +@@ -369,7 +371,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + break; + canvas_indexes=GetVirtualIndexQueue(canvas_image); + indexes=GetAuthenticIndexQueue(image); +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -466,7 +468,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -519,7 +521,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -571,7 +573,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -632,7 +634,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + break; + canvas_indexes=GetVirtualIndexQueue(canvas_image); + indexes=GetAuthenticIndexQueue(image); +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelIndex(indexes+x,GetPixelIndex( + canvas_indexes+image->extract_info.x+x)); +@@ -689,7 +691,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +@@ -781,7 +783,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -853,7 +855,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -925,7 +927,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -1005,7 +1007,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + break; + canvas_indexes=GetVirtualIndexQueue(canvas_image); + indexes=GetAuthenticIndexQueue(image); +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelIndex(indexes+x,GetPixelIndex( + canvas_indexes+image->extract_info.x+x)); +@@ -1080,7 +1082,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +diff --git a/coders/gray.c b/coders/gray.c +index a24cd80..7c28916 100644 +--- a/coders/gray.c ++++ b/coders/gray.c +@@ -126,6 +126,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -199,6 +200,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -259,7 +261,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + SetPixelGreen(q,GetPixelGreen(p)); +@@ -340,7 +342,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -421,7 +423,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGray(q,GetPixelGray(p)); + p++; +@@ -474,7 +476,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -530,7 +532,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +@@ -622,7 +624,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGray(q,GetPixelGray(p)); + p++; +@@ -697,7 +699,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(q,GetPixelAlpha(p)); + p++; +diff --git a/coders/raw.c b/coders/raw.c +index d51b918..5125076 100644 +--- a/coders/raw.c ++++ b/coders/raw.c +@@ -118,6 +118,7 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) + length; + + ssize_t ++ columns, + count, + y; + +@@ -188,6 +189,7 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) + length=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -240,7 +242,7 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) + 1,exception); + if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + SetPixelGreen(q,GetPixelGreen(p)); +diff --git a/coders/rgb.c b/coders/rgb.c +index 8151ec5..650b875 100644 +--- a/coders/rgb.c ++++ b/coders/rgb.c +@@ -126,6 +126,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + length; + + ssize_t ++ columns, + count, + y; + +@@ -203,6 +204,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -263,7 +265,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + SetPixelGreen(q,GetPixelGreen(p)); +@@ -348,7 +350,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -448,7 +450,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -501,7 +503,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -554,7 +556,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -616,7 +618,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +@@ -708,7 +710,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -780,7 +782,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -852,7 +854,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -926,7 +928,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +diff --git a/coders/ycbcr.c b/coders/ycbcr.c +index 0bf3743..8bd59aa 100644 +--- a/coders/ycbcr.c ++++ b/coders/ycbcr.c +@@ -126,6 +126,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -205,6 +206,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -269,7 +271,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + SetPixelGreen(q,GetPixelGreen(p)); +@@ -351,7 +353,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -442,7 +444,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -495,7 +497,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -548,7 +550,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -604,7 +606,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; +@@ -696,7 +698,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(q,GetPixelRed(p)); + p++; +@@ -768,7 +770,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(q,GetPixelGreen(p)); + p++; +@@ -840,7 +842,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(q,GetPixelBlue(p)); + p++; +@@ -914,7 +916,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + if ((p == (const PixelPacket *) NULL) || + (q == (PixelPacket *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelOpacity(q,GetPixelOpacity(p)); + p++; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25638.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25638.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25638.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25638.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,35 @@ +From: Cristy +Date: Tue, 10 Feb 2026 06:55:53 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xxw5-m53x-j38c#advisory-comment-159495 + +(cherry picked from commit c5b4a1c6ff347f66346cbec499f3e881da21faf3) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/c5b4a1c6ff347f66346cbec499f3e881da21faf3 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gxcx-qjqp-8vjw +--- + coders/msl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 6a2f2a2..f28e97e 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -7840,7 +7840,8 @@ static MagickBooleanType ProcessMSLScript(const ImageInfo *image_info, + /* the first slot is used to point to the MSL file image */ + *msl_info.image=msl_image; + if (*image != (Image *) NULL) +- MSLPushImage(&msl_info,*image); ++ MSLPushImage(&msl_info,CloneImage(*image,0,0,MagickTrue,exception)); ++ *image=(Image *) NULL; + xmlInitParser(); + (void) xmlSubstituteEntitiesDefault(1); + (void) memset(&sax_modules,0,sizeof(sax_modules)); +@@ -8338,6 +8339,7 @@ static MagickBooleanType WriteMSLImage(const ImageInfo *image_info,Image *image) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); + msl_image=CloneImage(image,0,0,MagickTrue,&image->exception); + status=ProcessMSLScript(image_info,&msl_image,&image->exception); ++ msl_image=DestroyImage(msl_image); + return(status); + } + #endif diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25795.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25795.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25795.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25795.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,28 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 21:16:06 +0100 +Subject: Fixed NULL pointer dereference in ReadSFWImage + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm) + +(cherry picked from commit b2b4f0107ba3a4427f1b5ded803c1d2cc77f2a89) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/b2b4f0107ba3a4427f1b5ded803c1d2cc77f2a89 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm +--- + coders/sfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/sfw.c b/coders/sfw.c +index 2e1222e..8070df3 100644 +--- a/coders/sfw.c ++++ b/coders/sfw.c +@@ -318,9 +318,9 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((unique_file == -1) || (file == (FILE *) NULL)) + { + buffer=(unsigned char *) RelinquishMagickMemory(buffer); +- read_info=DestroyImageInfo(read_info); + (void) CopyMagickString(image->filename,read_info->filename, + MaxTextExtent); ++ read_info=DestroyImageInfo(read_info); + ThrowFileException(exception,FileOpenError,"UnableToCreateTemporaryFile", + image->filename); + image=DestroyImageList(image); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25796.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25796.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25796.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25796.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 21:10:51 +0100 +Subject: Prevent memory leak in early exits + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w) + +(cherry picked from commit 29aeed740553ed4e5c544e101ac468be55a919ff) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/29aeed740553ed4e5c544e101ac468be55a919ff +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w +--- + coders/stegano.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/coders/stegano.c b/coders/stegano.c +index ab116e8..f92fb5a 100644 +--- a/coders/stegano.c ++++ b/coders/stegano.c +@@ -153,15 +153,20 @@ static Image *ReadSTEGANOImage(const ImageInfo *image_info, + return(DestroyImageList(image)); + watermark->depth=MAGICKCORE_QUANTUM_DEPTH; + if (AcquireImageColormap(image,MaxColormapSize) == MagickFalse) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ { ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ watermark=DestroyImage(watermark); ++ } + if (image_info->ping != MagickFalse) + { ++ watermark=DestroyImage(watermark); + (void) CloseBlob(image); + return(GetFirstImageInList(image)); + } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { ++ watermark=DestroyImage(watermark); + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_1_post.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_1_post.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_1_post.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_1_post.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,52 @@ +From: Cristy +Date: Thu, 29 Jan 2026 22:04:53 -0500 +Subject: fix compiler exception + +(cherry picked from commit 963cd0771923f4aabfe9047eab0752d88829bcdd) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/b4c37614b6da7695cb4f5b3c6e326a37bdf2b1a9 +--- + coders/ps.c | 2 +- + coders/ps2.c | 2 +- + coders/ps3.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/coders/ps.c b/coders/ps.c +index c42198d..57e637e 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -1116,7 +1116,7 @@ static void inline FilenameToTitle(const char *filename,char *title, + */ + if (offset == 0) + { +- (void) strncpy(title,"Untitled",extent-1); ++ (void) CopyMagickString(title,"Untitled",extent-1); + title[extent-1]='\0'; + } + } +diff --git a/coders/ps2.c b/coders/ps2.c +index 3fac7e1..c2ec519 100644 +--- a/coders/ps2.c ++++ b/coders/ps2.c +@@ -258,7 +258,7 @@ static void inline FilenameToTitle(const char *filename,char *title, + */ + if (offset == 0) + { +- (void) strncpy(title,"Untitled",extent-1); ++ (void) CopyMagickString(title,"Untitled",extent-1); + title[extent-1]='\0'; + } + } +diff --git a/coders/ps3.c b/coders/ps3.c +index 1283e71..49dd102 100644 +--- a/coders/ps3.c ++++ b/coders/ps3.c +@@ -273,7 +273,7 @@ static void inline FilenameToTitle(const char *filename,char *title, + */ + if (offset == 0) + { +- (void) strncpy(title,"Untitled",extent-1); ++ (void) CopyMagickString(title,"Untitled",extent-1); + title[extent-1]='\0'; + } + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_2.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,153 @@ +From: Dirk Lemstra +Date: Fri, 20 Feb 2026 14:08:23 +0100 +Subject: Properly escape the strings that are written as raw html + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v) + +(cherry picked from commit 7284564901441ddb04dadaad306e9f0fb527d71f) + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/7284564901441ddb04dadaad306e9f0fb527d71f +--- + coders/html.c | 81 +++++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 56 insertions(+), 25 deletions(-) + +diff --git a/coders/html.c b/coders/html.c +index f435fdd..eeb43b7 100644 +--- a/coders/html.c ++++ b/coders/html.c +@@ -208,6 +208,38 @@ ModuleExport void UnregisterHTMLImage(void) + % + % + */ ++ ++static void WriteHtmlEncodedString(Image *image,const char* value) ++{ ++ char ++ *encoded_value; ++ ++ encoded_value=AcquireString(value); ++ (void) SubstituteString(&encoded_value,"<","<"); ++ (void) SubstituteString(&encoded_value,">",">"); ++ (void) SubstituteString(&encoded_value,"&","&"); ++ (void) SubstituteString(&encoded_value,"\"","""); ++ (void) SubstituteString(&encoded_value,"'","'"); ++ WriteBlobString(image,encoded_value); ++ encoded_value=DestroyString(encoded_value); ++} ++ ++static ssize_t WriteURLComponent(Image *image,const int c) ++{ ++ char ++ encoding[MagickPathExtent], ++ html5; ++ ++ html5=isalnum(c) != 0 || (c == '-') || (c == '_') || (c == '.') || ++ (c == '!') || (c == '~') || (c == '*') || (c == '\'') || (c == '(') || ++ (c == ')') ? c : 0; ++ if (html5 != 0) ++ (void) FormatLocaleString(encoding,MagickPathExtent,"%c",html5); ++ else ++ (void) FormatLocaleString(encoding,MagickPathExtent,"%%%02X",c); ++ return(WriteBlobString(image,encoding)); ++} ++ + static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + Image *image) + { +@@ -301,29 +333,29 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + "\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n"); + (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); ++ (void) WriteBlobString(image,""); + value=GetImageProperty(image,"label"); + if (value != (const char *) NULL) +- (void) FormatLocaleString(buffer,MaxTextExtent,"<title>%s\n", +- value); ++ WriteHtmlEncodedString(image,value); + else + { + GetPathComponent(filename,BasePath,basename); +- (void) FormatLocaleString(buffer,MaxTextExtent, +- "%s\n",basename); ++ WriteHtmlEncodedString(image,basename); + } +- (void) WriteBlobString(image,buffer); ++ (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); +- (void) FormatLocaleString(buffer,MaxTextExtent,"

%s

\n", +- image->filename); +- (void) WriteBlobString(image,buffer); ++ (void) WriteBlobString(image,"

"); ++ WriteHtmlEncodedString(image,image->filename); ++ (void) WriteBlobString(image,"

"); + (void) WriteBlobString(image,"
\n"); + (void) CopyMagickString(filename,image->filename,MaxTextExtent); + AppendImageFormat("png",filename); +- (void) FormatLocaleString(buffer,MaxTextExtent,"\"Image\n",mapname, +- filename); +- (void) WriteBlobString(image,buffer); ++ (void) WriteBlobString(image,"\"Image\n"); + /* + Determine the size and location of each image tile. + */ +@@ -333,17 +365,18 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + /* + Write an image map. + */ +- (void) FormatLocaleString(buffer,MaxTextExtent, +- "\n",mapname,mapname); +- (void) WriteBlobString(image,buffer); +- (void) FormatLocaleString(buffer,MaxTextExtent," \ndirectory == (char *) NULL) + { ++ WriteHtmlEncodedString(image,image->filename); + (void) FormatLocaleString(buffer,MaxTextExtent, +- "%s\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n", +- image->filename,(double) geometry.width-1,(double) geometry.height- +- 1); ++ "\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n", ++ (double) geometry.width-1,(double) geometry.height-1); + (void) WriteBlobString(image,buffer); + } + else +@@ -359,9 +392,9 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + (void) WriteBlobString(image,buffer); + if (*(p+1) != '\0') + { +- (void) FormatLocaleString(buffer,MaxTextExtent, +- " = (ssize_t) image->columns) +@@ -371,7 +404,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + } + } + (void) WriteBlobString(image,"\n"); +- (void) CopyMagickString(filename,image->filename,MaxTextExtent); + (void) WriteBlobString(image,"
\n"); + (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); +@@ -379,7 +411,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + /* + Write the image as PNG. + */ +- (void) CopyMagickString(image->filename,filename,MaxTextExtent); + AppendImageFormat("png",image->filename); + next=GetNextImageInList(image); + image->next=NewImageList(); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,732 @@ +From: Cristy +Date: Thu, 29 Jan 2026 20:42:21 -0500 +Subject: jumbo security patch: addresses memory leak, stack overflow, + out-of-bounds, integer overflow, OOB read + +Fix CVE-2026-25965 and CVE-2026-25797 + +(cherry picked from commit b4c37614b6da7695cb4f5b3c6e326a37bdf2b1a9) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/b4c37614b6da7695cb4f5b3c6e326a37bdf2b1a9 +--- + coders/dcm.c | 16 ++++++- + coders/msl.c | 24 +++++++--- + coders/ps.c | 82 +++++++++++++++++++++++++++++++- + coders/ps2.c | 82 +++++++++++++++++++++++++++++++- + coders/ps3.c | 83 ++++++++++++++++++++++++++++++++- + magick/module.c | 11 +++-- + magick/policy.c | 40 ++++++++++------ + magick/utility-private.h | 119 +++++++++++++++++++++++++++++++++++++++++++++++ + magick/utility.c | 28 +++++++---- + 9 files changed, 445 insertions(+), 40 deletions(-) + +diff --git a/coders/dcm.c b/coders/dcm.c +index 439aa1a..6c6da95 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -2704,6 +2704,7 @@ typedef struct _DCMInfo + + size_t + bits_allocated, ++ bits_per_entry, + bytes_per_pixel, + depth, + mask, +@@ -3136,6 +3137,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + */ + (void) CopyMagickString(photometric,"MONOCHROME1 ",MaxTextExtent); + info.bits_allocated=8; ++ info.bits_per_entry=1; + info.bytes_per_pixel=1; + info.depth=8; + info.mask=0xffff; +@@ -3667,7 +3669,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + redmap[i]=(int) index; +- p+=2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } +@@ -3699,7 +3701,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + greenmap[i]=(int) index; +- p+=2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } +@@ -3735,6 +3737,16 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + break; + } ++ case 0x3002: ++ { ++ /* ++ Bytes per entry. ++ */ ++ info.bits_per_entry=(size_t) datum; ++ if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2)) ++ ThrowDCMException(CorruptImageError,"ImproperImageHeader") ++ break; ++ } + default: + break; + } +diff --git a/coders/msl.c b/coders/msl.c +index f28e97e..ed89da4 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -5058,17 +5058,25 @@ static void MSLStartElement(void *context,const xmlChar *tag, + if (LocaleCompare(keyword,"filename") == 0) + { + Image +- *image; ++ *next = (Image *) NULL; + + if (value == (char *) NULL) + break; ++ *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, +- value,MaxTextExtent); +- image=ReadImage(msl_info->image_info[n],exception); ++ value,MagickPathExtent); ++ (void) SetImageInfo(msl_info->image_info[n],1,exception); ++ if (LocaleCompare(msl_info->image_info[n]->magick,"msl") != 0) ++ next=ReadImage(msl_info->image_info[n],exception); ++ else ++ (void) ThrowMagickException(msl_info->exception, ++ GetMagickModule(),DrawError, ++ "VectorGraphicsNestedTooDeeply","`%s'", ++ msl_info->image_info[n]->filename); + CatchException(exception); +- if (image == (Image *) NULL) ++ if (next == (Image *) NULL) + continue; +- AppendImageToList(&msl_info->image[n],image); ++ AppendImageToList(&msl_info->image[n],next); + break; + } + (void) SetMSLAttributes(msl_info,keyword,value); +@@ -6140,10 +6148,11 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Quantum opac = OpaqueOpacity; + ssize_t len = (ssize_t) strlen( value ); + +- if (value[len-1] == '%') { +- char tmp[100]; ++ if ((len > 0) && (value[len-1] == '%')) { ++ char *tmp = AcquireString(value); + (void) CopyMagickString(tmp,value,len); + opac = StringToLong( tmp ); ++ tmp=DestroyString(tmp); + opac = (int)(QuantumRange * ((float)opac/100)); + } else + opac = StringToLong( value ); +@@ -7359,6 +7368,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + + /* process */ + { ++ *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, + msl_info->image[n]->filename,MagickPathExtent); + (void) SetImageInfo(msl_info->image_info[n],1,exception); +diff --git a/coders/ps.c b/coders/ps.c +index af81bbb..c42198d 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -1045,6 +1045,82 @@ ModuleExport void UnregisterPSImage(void) + % + */ + ++static void inline FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) strncpy(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static inline unsigned char *PopHexPixel(const char hex_digits[][3], + const size_t pixel,unsigned char *pixels) + { +@@ -1522,6 +1598,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image) + text_size=(size_t) (MultilineCensus(value)*pointsize+12); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Output Postscript header. + */ +@@ -1532,8 +1611,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image) + MaxTextExtent); + (void) WriteBlobString(image,buffer); + (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: (%s)\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,MaxTextExtent,date); +diff --git a/coders/ps2.c b/coders/ps2.c +index 3e102dc..3fac7e1 100644 +--- a/coders/ps2.c ++++ b/coders/ps2.c +@@ -187,6 +187,82 @@ ModuleExport void UnregisterPS2Image(void) + % + */ + ++static void inline FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) strncpy(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, + Image *image,Image *inject_image) + { +@@ -553,6 +629,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image) + text_size=(size_t) (MultilineCensus(value)*pointsize+12); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Output Postscript header. + */ +@@ -563,8 +642,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image) + MaxTextExtent); + (void) WriteBlobString(image,buffer); + (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: (%s)\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,MaxTextExtent,date); +diff --git a/coders/ps3.c b/coders/ps3.c +index 192a19d..1283e71 100644 +--- a/coders/ps3.c ++++ b/coders/ps3.c +@@ -202,6 +202,82 @@ ModuleExport void UnregisterPS3Image(void) + % + */ + ++static void inline FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) strncpy(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, + Image *image,Image *inject_image) + { +@@ -1001,6 +1077,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image) + page++; + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Postscript header on the first page. + */ +@@ -1013,8 +1092,8 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image) + (void) FormatLocaleString(buffer,MaxTextExtent, + "%%%%Creator: ImageMagick %s\n",MagickLibVersionText); + (void) WriteBlobString(image,buffer); +- (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: %s\n", +- image->filename); ++ FilenameToTitle(image->filename,title,MagickPathExtent); ++ (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: %s\n",title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,MaxTextExtent,date); +diff --git a/magick/module.c b/magick/module.c +index e760395..8cdf1c1 100644 +--- a/magick/module.c ++++ b/magick/module.c +@@ -580,15 +580,16 @@ static MagickBooleanType GetMagickModulePath(const char *filename, + if ((q >= path) && (*q != *DirectorySeparator)) + (void) ConcatenateMagickString(path,DirectorySeparator,MaxTextExtent); + (void) ConcatenateMagickString(path,filename,MaxTextExtent); +-#if defined(MAGICKCORE_HAVE_REALPATH) + { + char +- resolved_path[PATH_MAX+1]; ++ *real_path = realpath_utf8(path); + +- if (realpath(path,resolved_path) != (char *) NULL) +- (void) CopyMagickString(path,resolved_path,MaxTextExtent); ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,MagickPathExtent); ++ real_path=DestroyString(real_path); ++ } + } +-#endif + if (IsPathAccessible(path) != MagickFalse) + { + module_path=DestroyString(module_path); +diff --git a/magick/policy.c b/magick/policy.c +index b0cafd2..d4251a5 100644 +--- a/magick/policy.c ++++ b/magick/policy.c +@@ -57,6 +57,7 @@ + #include "magick/string_.h" + #include "magick/token.h" + #include "magick/utility.h" ++#include "magick/utility-private.h" + #include "magick/xml-tree.h" + #include "magick/xml-tree-private.h" + +@@ -444,8 +445,8 @@ static char *AcquirePolicyString(const char *source,const size_t pad) + if (source != (char *) NULL) + length+=strlen(source); + destination=(char *) NULL; +- if (~length >= pad) +- destination=(char *) AcquireQuantumMemory(length+pad,sizeof(*destination)); ++ if (~length >= pad) ++ destination=(char *) AcquireMagickMemory((length+pad)*sizeof(*destination)); + if (destination == (char *) NULL) + ThrowFatalException(ResourceLimitFatalError,"UnableToAcquireString"); + if (source != (char *) NULL) +@@ -640,18 +641,31 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, + p=(PolicyInfo *) GetNextValueInLinkedList(policy_cache); + while (p != (PolicyInfo *) NULL) + { +- if ((p->domain == domain) && +- (GlobExpression(pattern,p->pattern,MagickFalse) != MagickFalse)) ++ char ++ *real_pattern = (char *) pattern; ++ ++ if (p->domain == domain) + { +- if ((rights & ReadPolicyRights) != 0) +- authorized=(p->rights & ReadPolicyRights) != 0 ? MagickTrue : +- MagickFalse; +- if ((rights & WritePolicyRights) != 0) +- authorized=(p->rights & WritePolicyRights) != 0 ? MagickTrue : +- MagickFalse; +- if ((rights & ExecutePolicyRights) != 0) +- authorized=(p->rights & ExecutePolicyRights) != 0 ? MagickTrue : +- MagickFalse; ++ if (p->domain == PathPolicyDomain) ++ { ++ real_pattern=realpath_utf8(pattern); ++ if (real_pattern == (char *) NULL) ++ real_pattern=AcquireString(pattern); ++ } ++ if (GlobExpression(real_pattern,p->pattern,MagickFalse) != MagickFalse) ++ { ++ if ((rights & ReadPolicyRights) != 0) ++ authorized=(p->rights & ReadPolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ if ((rights & WritePolicyRights) != 0) ++ authorized=(p->rights & WritePolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ if ((rights & ExecutePolicyRights) != 0) ++ authorized=(p->rights & ExecutePolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ } ++ if (p->domain == PathPolicyDomain) ++ real_pattern=DestroyString(real_pattern); + } + p=(PolicyInfo *) GetNextValueInLinkedList(policy_cache); + } +diff --git a/magick/utility-private.h b/magick/utility-private.h +index c94a3c4..088eb58 100644 +--- a/magick/utility-private.h ++++ b/magick/utility-private.h +@@ -216,6 +216,125 @@ static inline FILE *popen_utf8(const char *command,const char *type) + #endif + } + ++static inline char *realpath_utf8(const char *path) ++{ ++#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) ++#if defined(MAGICKCORE_HAVE_REALPATH) ++ return(realpath(path,(char *) NULL)); ++#else ++ return(AcquireString(path)); ++#endif ++#else ++ char ++ *real_path; ++ ++ DWORD ++ final_path_length, ++ full_path_length; ++ ++ HANDLE ++ file_handle; ++ ++ int ++ length, ++ utf8_length, ++ ++ wchar_t ++ *clean_path, ++ *final_path, ++ *full_path, ++ *wide_path; ++ ++ /* ++ Convert UTF-8 to UTF-16. ++ */ ++ if (path == (const char *) NULL) ++ return((char *) NULL); ++ length=MultiByteToWideChar(CP_UTF8,0,path,-1,NULL,0); ++ if (length <= 0) ++ return((char *) NULL); ++ wide_path=(wchar_t *) AcquireQuantumMeory(length,sizeof(wchar_t)); ++ if (wide_path == (wchar_t *) NULL) ++ return((char *) NULL); ++ MultiByteToWideChar(CP_UTF8,0,path,-1,wide_path,length); ++ /* ++ Normalize syntactically. ++ */ ++ full_path_length=GetFullPathNameW(wide_path,0,NULL,NULL); ++ if (full_path_length == 0) ++ { ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ return((char *) NULL); ++ } ++ full_path=(wchar_t *) AcquireQuantumMemory(full_path_length,sizeof(wchar_t)); ++ if (full_path == (wchar_t *) NULL); ++ { ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ return((char *) NULL); ++ } ++ GetFullPathNameW(wide_path,full_path_length,full_path,NULL); ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ /* ++ Open the file/directory to resolve symlinks. ++ */ ++ file_handle=CreateFileW(full_path,GENERIC_READ,FILE_SHARE_READ | ++ FILE_SHARE_WRITE | FILE_SHARE_DELETE,NULL,OPEN_EXISTING, ++ FILE_FLAG_BACKUP_SEMANTICS,NULL); ++ if (file_handle == INVALID_HANDLE_VALUE) ++ { ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ /* ++ Resolve final canonical path. ++ */ ++ final_path_length=GetFinalPathNameByHandleW(file_handle,NULL,0, ++ FILE_NAME_NORMALIZED); ++ if (final_path_length == 0) ++ { ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ final_path=(wchar_t *) AcquireQuantumMemory(final_path_length, ++ sizeof(wchar_t)); ++ if (final_path == (wchar_t *) NULL) ++ { ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ GetFinalPathNameByHandleW(file_handle,final_path,final_path_length, ++ FILE_NAME_NORMALIZED); ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ /* ++ Remove \\?\ prefix for POSIX-like behavior. ++ */ ++ clean_path=final_path; ++ if (wcsncmp(final_path,L"\\\\?\\",4) == 0) ++ clean_path=final_path+4; ++ /* ++ Convert UTF-16 to UTF-8. ++ */ ++ utf8_length=WideCharToMultiByte(CP_UTF8,0,clean_path,-1,NULL,0,NULL,NULL); ++ if (utf8_length <= 0) ++ { ++ final_path=(wchar_t *) RelinquishMagickMemory(final_path); ++ return NULL; ++ } ++ real_path=(char *) AcquireQuantumMemory(utf8_length,sizeof(char)); ++ if (real_path == (char *) NULL) ++ { ++ final_path=(wchar_t *) RelinquishMagickMemory(final_path); ++ return NULL; ++ } ++ WideCharToMultiByte(CP_UTF8,0,clean_path,-1,real_path,utf8_length,NULL,NULL); ++ final_path=(wchar_t *) RelinquishMagickMemory(final_path); ++ return(real_path); ++#endif ++} ++ + static inline int remove_utf8(const char *path) + { + #if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) +diff --git a/magick/utility.c b/magick/utility.c +index 2ba49df..e23c8f9 100644 +--- a/magick/utility.c ++++ b/magick/utility.c +@@ -1033,16 +1033,23 @@ MagickExport MagickBooleanType GetExecutionPath(char *path,const size_t extent) + #if defined(MAGICKCORE_HAVE__NSGETEXECUTABLEPATH) + { + char +- executable_path[PATH_MAX << 1], +- execution_path[PATH_MAX+1]; ++ executable_path[PATH_MAX << 1]; + + uint32_t + length; + + length=sizeof(executable_path); +- if ((_NSGetExecutablePath(executable_path,&length) == 0) && +- (realpath(executable_path,execution_path) != (char *) NULL)) +- (void) CopyMagickString(path,execution_path,extent); ++ if (_NSGetExecutablePath(executable_path,&length) == 0) ++ { ++ char ++ *real_path = realpath_utf8(executable_path); ++ ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,extent); ++ real_path=DestroyString(real_path); ++ } ++ } + } + #endif + #if defined(MAGICKCORE_HAVE_GETEXECNAME) +@@ -1087,11 +1094,14 @@ MagickExport MagickBooleanType GetExecutionPath(char *path,const size_t extent) + } + if (count != -1) + { +- char +- execution_path[PATH_MAX+1]; ++ char ++ *real_path = realpath_utf8(program_name); + +- if (realpath(program_name,execution_path) != (char *) NULL) +- (void) CopyMagickString(path,execution_path,extent); ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,extent); ++ real_path=DestroyString(real_path); ++ } + } + if (program_name != program_invocation_name) + program_name=(char *) RelinquishMagickMemory(program_name); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,732 @@ +From: Cristy +Date: Thu, 29 Jan 2026 20:42:21 -0500 +Subject: jumbo security patch: addresses memory leak, stack overflow, + out-of-bounds, integer overflow, OOB read + +Fix CVE-2026-25965, CVE-2026-25797, CVE-2026-25968 and CVE-2026-25982 + +(cherry picked from commit b4c37614b6da7695cb4f5b3c6e326a37bdf2b1a9) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/b4c37614b6da7695cb4f5b3c6e326a37bdf2b1a9 +--- + coders/dcm.c | 16 ++++++- + coders/msl.c | 24 +++++++--- + coders/ps.c | 82 +++++++++++++++++++++++++++++++- + coders/ps2.c | 82 +++++++++++++++++++++++++++++++- + coders/ps3.c | 83 ++++++++++++++++++++++++++++++++- + magick/module.c | 11 +++-- + magick/policy.c | 40 ++++++++++------ + magick/utility-private.h | 119 +++++++++++++++++++++++++++++++++++++++++++++++ + magick/utility.c | 28 +++++++---- + 9 files changed, 445 insertions(+), 40 deletions(-) + +diff --git a/coders/dcm.c b/coders/dcm.c +index 439aa1a..6c6da95 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -2704,6 +2704,7 @@ typedef struct _DCMInfo + + size_t + bits_allocated, ++ bits_per_entry, + bytes_per_pixel, + depth, + mask, +@@ -3136,6 +3137,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + */ + (void) CopyMagickString(photometric,"MONOCHROME1 ",MaxTextExtent); + info.bits_allocated=8; ++ info.bits_per_entry=1; + info.bytes_per_pixel=1; + info.depth=8; + info.mask=0xffff; +@@ -3667,7 +3669,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + redmap[i]=(int) index; +- p+=2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } +@@ -3699,7 +3701,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + greenmap[i]=(int) index; +- p+=2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } +@@ -3735,6 +3737,16 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + break; + } ++ case 0x3002: ++ { ++ /* ++ Bytes per entry. ++ */ ++ info.bits_per_entry=(size_t) datum; ++ if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2)) ++ ThrowDCMException(CorruptImageError,"ImproperImageHeader") ++ break; ++ } + default: + break; + } +diff --git a/coders/msl.c b/coders/msl.c +index f28e97e..ed89da4 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -5058,17 +5058,25 @@ static void MSLStartElement(void *context,const xmlChar *tag, + if (LocaleCompare(keyword,"filename") == 0) + { + Image +- *image; ++ *next = (Image *) NULL; + + if (value == (char *) NULL) + break; ++ *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, +- value,MaxTextExtent); +- image=ReadImage(msl_info->image_info[n],exception); ++ value,MagickPathExtent); ++ (void) SetImageInfo(msl_info->image_info[n],1,exception); ++ if (LocaleCompare(msl_info->image_info[n]->magick,"msl") != 0) ++ next=ReadImage(msl_info->image_info[n],exception); ++ else ++ (void) ThrowMagickException(msl_info->exception, ++ GetMagickModule(),DrawError, ++ "VectorGraphicsNestedTooDeeply","`%s'", ++ msl_info->image_info[n]->filename); + CatchException(exception); +- if (image == (Image *) NULL) ++ if (next == (Image *) NULL) + continue; +- AppendImageToList(&msl_info->image[n],image); ++ AppendImageToList(&msl_info->image[n],next); + break; + } + (void) SetMSLAttributes(msl_info,keyword,value); +@@ -6140,10 +6148,11 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Quantum opac = OpaqueOpacity; + ssize_t len = (ssize_t) strlen( value ); + +- if (value[len-1] == '%') { +- char tmp[100]; ++ if ((len > 0) && (value[len-1] == '%')) { ++ char *tmp = AcquireString(value); + (void) CopyMagickString(tmp,value,len); + opac = StringToLong( tmp ); ++ tmp=DestroyString(tmp); + opac = (int)(QuantumRange * ((float)opac/100)); + } else + opac = StringToLong( value ); +@@ -7359,6 +7368,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + + /* process */ + { ++ *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, + msl_info->image[n]->filename,MagickPathExtent); + (void) SetImageInfo(msl_info->image_info[n],1,exception); +diff --git a/coders/ps.c b/coders/ps.c +index af81bbb..c42198d 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -1045,6 +1045,82 @@ ModuleExport void UnregisterPSImage(void) + % + */ + ++static void inline FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) strncpy(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static inline unsigned char *PopHexPixel(const char hex_digits[][3], + const size_t pixel,unsigned char *pixels) + { +@@ -1522,6 +1598,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image) + text_size=(size_t) (MultilineCensus(value)*pointsize+12); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Output Postscript header. + */ +@@ -1532,8 +1611,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image) + MaxTextExtent); + (void) WriteBlobString(image,buffer); + (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: (%s)\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,MaxTextExtent,date); +diff --git a/coders/ps2.c b/coders/ps2.c +index 3e102dc..3fac7e1 100644 +--- a/coders/ps2.c ++++ b/coders/ps2.c +@@ -187,6 +187,82 @@ ModuleExport void UnregisterPS2Image(void) + % + */ + ++static void inline FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) strncpy(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, + Image *image,Image *inject_image) + { +@@ -553,6 +629,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image) + text_size=(size_t) (MultilineCensus(value)*pointsize+12); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Output Postscript header. + */ +@@ -563,8 +642,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image) + MaxTextExtent); + (void) WriteBlobString(image,buffer); + (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: (%s)\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,MaxTextExtent,date); +diff --git a/coders/ps3.c b/coders/ps3.c +index 192a19d..1283e71 100644 +--- a/coders/ps3.c ++++ b/coders/ps3.c +@@ -202,6 +202,82 @@ ModuleExport void UnregisterPS3Image(void) + % + */ + ++static void inline FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) strncpy(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, + Image *image,Image *inject_image) + { +@@ -1001,6 +1077,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image) + page++; + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Postscript header on the first page. + */ +@@ -1013,8 +1092,8 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image) + (void) FormatLocaleString(buffer,MaxTextExtent, + "%%%%Creator: ImageMagick %s\n",MagickLibVersionText); + (void) WriteBlobString(image,buffer); +- (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: %s\n", +- image->filename); ++ FilenameToTitle(image->filename,title,MagickPathExtent); ++ (void) FormatLocaleString(buffer,MaxTextExtent,"%%%%Title: %s\n",title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,MaxTextExtent,date); +diff --git a/magick/module.c b/magick/module.c +index e760395..8cdf1c1 100644 +--- a/magick/module.c ++++ b/magick/module.c +@@ -580,15 +580,16 @@ static MagickBooleanType GetMagickModulePath(const char *filename, + if ((q >= path) && (*q != *DirectorySeparator)) + (void) ConcatenateMagickString(path,DirectorySeparator,MaxTextExtent); + (void) ConcatenateMagickString(path,filename,MaxTextExtent); +-#if defined(MAGICKCORE_HAVE_REALPATH) + { + char +- resolved_path[PATH_MAX+1]; ++ *real_path = realpath_utf8(path); + +- if (realpath(path,resolved_path) != (char *) NULL) +- (void) CopyMagickString(path,resolved_path,MaxTextExtent); ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,MagickPathExtent); ++ real_path=DestroyString(real_path); ++ } + } +-#endif + if (IsPathAccessible(path) != MagickFalse) + { + module_path=DestroyString(module_path); +diff --git a/magick/policy.c b/magick/policy.c +index b0cafd2..d4251a5 100644 +--- a/magick/policy.c ++++ b/magick/policy.c +@@ -57,6 +57,7 @@ + #include "magick/string_.h" + #include "magick/token.h" + #include "magick/utility.h" ++#include "magick/utility-private.h" + #include "magick/xml-tree.h" + #include "magick/xml-tree-private.h" + +@@ -444,8 +445,8 @@ static char *AcquirePolicyString(const char *source,const size_t pad) + if (source != (char *) NULL) + length+=strlen(source); + destination=(char *) NULL; +- if (~length >= pad) +- destination=(char *) AcquireQuantumMemory(length+pad,sizeof(*destination)); ++ if (~length >= pad) ++ destination=(char *) AcquireMagickMemory((length+pad)*sizeof(*destination)); + if (destination == (char *) NULL) + ThrowFatalException(ResourceLimitFatalError,"UnableToAcquireString"); + if (source != (char *) NULL) +@@ -640,18 +641,31 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, + p=(PolicyInfo *) GetNextValueInLinkedList(policy_cache); + while (p != (PolicyInfo *) NULL) + { +- if ((p->domain == domain) && +- (GlobExpression(pattern,p->pattern,MagickFalse) != MagickFalse)) ++ char ++ *real_pattern = (char *) pattern; ++ ++ if (p->domain == domain) + { +- if ((rights & ReadPolicyRights) != 0) +- authorized=(p->rights & ReadPolicyRights) != 0 ? MagickTrue : +- MagickFalse; +- if ((rights & WritePolicyRights) != 0) +- authorized=(p->rights & WritePolicyRights) != 0 ? MagickTrue : +- MagickFalse; +- if ((rights & ExecutePolicyRights) != 0) +- authorized=(p->rights & ExecutePolicyRights) != 0 ? MagickTrue : +- MagickFalse; ++ if (p->domain == PathPolicyDomain) ++ { ++ real_pattern=realpath_utf8(pattern); ++ if (real_pattern == (char *) NULL) ++ real_pattern=AcquireString(pattern); ++ } ++ if (GlobExpression(real_pattern,p->pattern,MagickFalse) != MagickFalse) ++ { ++ if ((rights & ReadPolicyRights) != 0) ++ authorized=(p->rights & ReadPolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ if ((rights & WritePolicyRights) != 0) ++ authorized=(p->rights & WritePolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ if ((rights & ExecutePolicyRights) != 0) ++ authorized=(p->rights & ExecutePolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ } ++ if (p->domain == PathPolicyDomain) ++ real_pattern=DestroyString(real_pattern); + } + p=(PolicyInfo *) GetNextValueInLinkedList(policy_cache); + } +diff --git a/magick/utility-private.h b/magick/utility-private.h +index c94a3c4..088eb58 100644 +--- a/magick/utility-private.h ++++ b/magick/utility-private.h +@@ -216,6 +216,125 @@ static inline FILE *popen_utf8(const char *command,const char *type) + #endif + } + ++static inline char *realpath_utf8(const char *path) ++{ ++#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) ++#if defined(MAGICKCORE_HAVE_REALPATH) ++ return(realpath(path,(char *) NULL)); ++#else ++ return(AcquireString(path)); ++#endif ++#else ++ char ++ *real_path; ++ ++ DWORD ++ final_path_length, ++ full_path_length; ++ ++ HANDLE ++ file_handle; ++ ++ int ++ length, ++ utf8_length, ++ ++ wchar_t ++ *clean_path, ++ *final_path, ++ *full_path, ++ *wide_path; ++ ++ /* ++ Convert UTF-8 to UTF-16. ++ */ ++ if (path == (const char *) NULL) ++ return((char *) NULL); ++ length=MultiByteToWideChar(CP_UTF8,0,path,-1,NULL,0); ++ if (length <= 0) ++ return((char *) NULL); ++ wide_path=(wchar_t *) AcquireQuantumMeory(length,sizeof(wchar_t)); ++ if (wide_path == (wchar_t *) NULL) ++ return((char *) NULL); ++ MultiByteToWideChar(CP_UTF8,0,path,-1,wide_path,length); ++ /* ++ Normalize syntactically. ++ */ ++ full_path_length=GetFullPathNameW(wide_path,0,NULL,NULL); ++ if (full_path_length == 0) ++ { ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ return((char *) NULL); ++ } ++ full_path=(wchar_t *) AcquireQuantumMemory(full_path_length,sizeof(wchar_t)); ++ if (full_path == (wchar_t *) NULL); ++ { ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ return((char *) NULL); ++ } ++ GetFullPathNameW(wide_path,full_path_length,full_path,NULL); ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ /* ++ Open the file/directory to resolve symlinks. ++ */ ++ file_handle=CreateFileW(full_path,GENERIC_READ,FILE_SHARE_READ | ++ FILE_SHARE_WRITE | FILE_SHARE_DELETE,NULL,OPEN_EXISTING, ++ FILE_FLAG_BACKUP_SEMANTICS,NULL); ++ if (file_handle == INVALID_HANDLE_VALUE) ++ { ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ /* ++ Resolve final canonical path. ++ */ ++ final_path_length=GetFinalPathNameByHandleW(file_handle,NULL,0, ++ FILE_NAME_NORMALIZED); ++ if (final_path_length == 0) ++ { ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ final_path=(wchar_t *) AcquireQuantumMemory(final_path_length, ++ sizeof(wchar_t)); ++ if (final_path == (wchar_t *) NULL) ++ { ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ GetFinalPathNameByHandleW(file_handle,final_path,final_path_length, ++ FILE_NAME_NORMALIZED); ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ /* ++ Remove \\?\ prefix for POSIX-like behavior. ++ */ ++ clean_path=final_path; ++ if (wcsncmp(final_path,L"\\\\?\\",4) == 0) ++ clean_path=final_path+4; ++ /* ++ Convert UTF-16 to UTF-8. ++ */ ++ utf8_length=WideCharToMultiByte(CP_UTF8,0,clean_path,-1,NULL,0,NULL,NULL); ++ if (utf8_length <= 0) ++ { ++ final_path=(wchar_t *) RelinquishMagickMemory(final_path); ++ return NULL; ++ } ++ real_path=(char *) AcquireQuantumMemory(utf8_length,sizeof(char)); ++ if (real_path == (char *) NULL) ++ { ++ final_path=(wchar_t *) RelinquishMagickMemory(final_path); ++ return NULL; ++ } ++ WideCharToMultiByte(CP_UTF8,0,clean_path,-1,real_path,utf8_length,NULL,NULL); ++ final_path=(wchar_t *) RelinquishMagickMemory(final_path); ++ return(real_path); ++#endif ++} ++ + static inline int remove_utf8(const char *path) + { + #if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) +diff --git a/magick/utility.c b/magick/utility.c +index 2ba49df..e23c8f9 100644 +--- a/magick/utility.c ++++ b/magick/utility.c +@@ -1033,16 +1033,23 @@ MagickExport MagickBooleanType GetExecutionPath(char *path,const size_t extent) + #if defined(MAGICKCORE_HAVE__NSGETEXECUTABLEPATH) + { + char +- executable_path[PATH_MAX << 1], +- execution_path[PATH_MAX+1]; ++ executable_path[PATH_MAX << 1]; + + uint32_t + length; + + length=sizeof(executable_path); +- if ((_NSGetExecutablePath(executable_path,&length) == 0) && +- (realpath(executable_path,execution_path) != (char *) NULL)) +- (void) CopyMagickString(path,execution_path,extent); ++ if (_NSGetExecutablePath(executable_path,&length) == 0) ++ { ++ char ++ *real_path = realpath_utf8(executable_path); ++ ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,extent); ++ real_path=DestroyString(real_path); ++ } ++ } + } + #endif + #if defined(MAGICKCORE_HAVE_GETEXECNAME) +@@ -1087,11 +1094,14 @@ MagickExport MagickBooleanType GetExecutionPath(char *path,const size_t extent) + } + if (count != -1) + { +- char +- execution_path[PATH_MAX+1]; ++ char ++ *real_path = realpath_utf8(program_name); + +- if (realpath(program_name,execution_path) != (char *) NULL) +- (void) CopyMagickString(path,execution_path,extent); ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,extent); ++ real_path=DestroyString(real_path); ++ } + } + if (program_name != program_invocation_name) + program_name=(char *) RelinquishMagickMemory(program_name); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25798.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25798.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25798.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25798.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,80 @@ +From: Cristy +Date: Sun, 1 Feb 2026 14:56:08 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 + +NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. + +(cherry picked from commit 93a38e3a7bfb7a492409275321eca94df7cd03a7) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/93a38e3a7bfb7a492409275321eca94df7cd03a7 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 +--- + magick/cache.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +diff --git a/magick/cache.c b/magick/cache.c +index c3f0fb9..98a951a 100644 +--- a/magick/cache.c ++++ b/magick/cache.c +@@ -3715,6 +3715,25 @@ static MagickBooleanType MaskPixelCacheNexus(Image *image,NexusInfo *nexus_info, + % + */ + ++static inline MagickBooleanType CacheOverflowSanityCheckGetSize( ++ const MagickSizeType count,const size_t quantum,MagickSizeType *const extent) ++{ ++ MagickSizeType ++ length; ++ ++ if ((count == 0) || (quantum == 0)) ++ return(MagickTrue); ++ length=count*quantum; ++ if (quantum != (length/count)) ++ { ++ errno=ENOMEM; ++ return(MagickTrue); ++ } ++ if (extent != NULL) ++ *extent=length; ++ return(MagickFalse); ++} ++ + static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info, + const MapMode mode) + { +@@ -3861,7 +3880,7 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, + *type; + + MagickSizeType +- length, ++ length = 0, + number_pixels; + + MagickStatusType +@@ -3931,12 +3950,22 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, + packet_size=sizeof(PixelPacket); + if (cache_info->active_index_channel != MagickFalse) + packet_size+=sizeof(IndexPacket); +- length=number_pixels*packet_size; ++ if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse) ++ { ++ cache_info->storage_class=UndefinedClass; ++ cache_info->length=0; ++ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", ++ image->filename); ++ } + columns=(size_t) (length/cache_info->rows/packet_size); + if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) || + ((ssize_t) cache_info->rows < 0)) +- ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", +- image->filename); ++ { ++ cache_info->storage_class=UndefinedClass; ++ cache_info->length=0; ++ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", ++ image->filename); ++ } + cache_info->length=length; + if (image->ping != MagickFalse) + { diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25799.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25799.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25799.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25799.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Sat, 31 Jan 2026 12:56:36 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6 + +a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service + +(cherry picked from commit 44c687dee38eb1a8053facb4a33dfa1e255875ea) + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/44c687dee38eb1a8053facb4a33dfa1e255875ea +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6 +--- + coders/yuv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/yuv.c b/coders/yuv.c +index fc65e28..f69e0e7 100644 +--- a/coders/yuv.c ++++ b/coders/yuv.c +@@ -170,7 +170,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) + vertical_factor=(ssize_t) geometry_info.sigma; + if ((flags & SigmaValue) == 0) + vertical_factor=horizontal_factor; +- if ((horizontal_factor != 1) && (horizontal_factor != 2) && ++ if ((horizontal_factor != 1) && (horizontal_factor != 2) || + (vertical_factor != 1) && (vertical_factor != 2)) + ThrowReaderException(CorruptImageError,"UnexpectedSamplingFactor"); + } +@@ -654,7 +654,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image) + vertical_factor=(ssize_t) geometry_info.sigma; + if ((flags & SigmaValue) == 0) + vertical_factor=horizontal_factor; +- if ((horizontal_factor != 1) && (horizontal_factor != 2) && ++ if ((horizontal_factor != 1) && (horizontal_factor != 2) || + (vertical_factor != 1) && (vertical_factor != 2)) + ThrowWriterException(CorruptImageError,"UnexpectedSamplingFactor"); + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25897.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25897.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25897.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25897.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,37 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 22:21:23 +0100 +Subject: Added extra check to prevent out of bounds heap write on 32-bit + systems + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6j5f-24fw-pqp4) + +(cherry picked from commit 5e28bb254210580ac12234cc9ba4ae57c193129c) + +origin: https://github.com/ImageMagick/ImageMagick/commit/5e28bb254210580ac12234cc9ba4ae57c193129c +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6j5f-24fw-pqp4 +--- + coders/sun.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/coders/sun.c b/coders/sun.c +index c4ecc0a..e148801 100644 +--- a/coders/sun.c ++++ b/coders/sun.c +@@ -469,12 +469,16 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } + bytes_per_line>>=4; +- if (HeapOverflowSanityCheck(height,bytes_per_line) != MagickFalse) ++ if (HeapOverflowSanityCheckGetSize(height,bytes_per_line,&pixels_length) != MagickFalse) ++ { ++ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); ++ ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); ++ } ++ if (image->rows > (MAGICK_SIZE_MAX - pixels_length)) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } +- pixels_length=height*bytes_per_line; + sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length+image->rows, + sizeof(*sun_pixels)); + if (sun_pixels == (unsigned char *) NULL) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_1.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,32 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 20:55:27 +0100 +Subject: Fixed out of bound read with negative pixel index + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr) + +(cherry picked from commit 66d3a6497eb89b3ce2a7b86cc23be6d69bce9220) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/66d3a6497eb89b3ce2a7b86cc23be6d69bce9220 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr +--- + coders/uil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/uil.c b/coders/uil.c +index c76a979..fb4263c 100644 +--- a/coders/uil.c ++++ b/coders/uil.c +@@ -359,10 +359,14 @@ static MagickBooleanType WriteUILImage(const ImageInfo *image_info,Image *image) + for (x=0; x < (ssize_t) image->columns; x++) + { + k=((ssize_t) GetPixelIndex(indexes+x) % MaxCixels); ++ if (k < 0) ++ k=0; + symbol[0]=Cixel[k]; + for (j=1; j < (int) characters_per_pixel; j++) + { + k=(((int) GetPixelIndex(indexes+x)-k)/MaxCixels) % MaxCixels; ++ if (k < 0) ++ k=0; + symbol[j]=Cixel[k]; + } + symbol[j]='\0'; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25898_2.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,32 @@ +From: Dirk Lemstra +Date: Sun, 8 Feb 2026 14:15:18 +0100 +Subject: Fixed out of bound read with negative pixel index + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr) + +(cherry picked from commit abfbcfe8e7884deb3560c74569c96ee4b068f3a6) + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/abfbcfe8e7884deb3560c74569c96ee4b068f3a6 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr +--- + coders/xpm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/xpm.c b/coders/xpm.c +index 806cd1f..910ff8c 100644 +--- a/coders/xpm.c ++++ b/coders/xpm.c +@@ -908,10 +908,14 @@ static MagickBooleanType WritePICONImage(const ImageInfo *image_info, + for (x=0; x < (ssize_t) picon->columns; x++) + { + k=((ssize_t) GetPixelIndex(indexes+x) % MaxCixels); ++ if (k < 0) ++ k=0; + symbol[0]=Cixel[k]; + for (j=1; j < (ssize_t) characters_per_pixel; j++) + { + k=(((int) GetPixelIndex(indexes+x)-k)/MaxCixels) % MaxCixels; ++ if (k < 0) ++ k=0; + symbol[j]=Cixel[k]; + } + symbol[j]='\0'; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25970.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25970.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25970.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25970.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,155 @@ +From: Cristy +Date: Sun, 1 Feb 2026 13:55:31 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr + +a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file + +(cherry picked from commit 9dd1ce6d8c1f66971cef275fb31cc079b9f4e186) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/9dd1ce6d8c1f66971cef275fb31cc079b9f4e186 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr +--- + coders/sixel.c | 59 +++++++++++++++++++++++++++++----------------------------- + 1 file changed, 29 insertions(+), 30 deletions(-) + +diff --git a/coders/sixel.c b/coders/sixel.c +index 5f38411..adcd205 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -235,8 +235,8 @@ MagickBooleanType sixel_decode(Image *image, + unsigned char /* out */ **palette, /* ARGB palette */ + size_t /* out */ *ncolors /* palette size (<= 256) */) + { +- int n, i, r, g, b, sixel_vertical_mask, c; +- int posision_x, posision_y; ++ int n, r, g, b, sixel_vertical_mask, c; ++ int position_x, position_y; + int max_x, max_y; + int attributed_pan, attributed_pad; + int attributed_ph, attributed_pv; +@@ -244,13 +244,12 @@ MagickBooleanType sixel_decode(Image *image, + int param[10] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + int sixel_palet[SIXEL_PALETTE_MAX]; + unsigned char *imbuf, *dmbuf; +- int imsx, imsy; +- int dmsx, dmsy; +- int y; +- size_t extent,offset; ++ size_t extent; ++ ssize_t i, imsx, imsy, offset, y; ++ ssize_t dmsx, dmsy; + + extent=strlen((char *) p); +- posision_x = posision_y = 0; ++ position_x = position_y = 0; + max_x = max_y = 0; + attributed_pan = 2; + attributed_pad = 1; +@@ -420,22 +419,22 @@ MagickBooleanType sixel_decode(Image *image, + } else if (*p == '$') { + /* DECGCR Graphics Carriage Return */ + p++; +- posision_x = 0; ++ position_x = 0; + repeat_count = 1; + + } else if (*p == '-') { + /* DECGNL Graphics Next Line */ + p++; +- posision_x = 0; +- posision_y += 6; ++ position_x = 0; ++ position_y += 6; + repeat_count = 1; + + } else if (*p >= '?' && *p <= '\177') { +- if (imsx < (posision_x + repeat_count) || imsy < (posision_y + 6)) { +- int nx = imsx * 2; +- int ny = imsy * 2; ++ if (imsx < ((ssize_t) position_x+repeat_count) || imsy < ((ssize_t) position_y+6)) { ++ ssize_t nx = imsx * 2; ++ ssize_t ny = imsy * 2; + +- while (nx < (posision_x + repeat_count) || ny < (posision_y + 6)) { ++ while (nx < ((ssize_t) position_x+repeat_count) || ny < ((ssize_t) position_y+6)) { + nx *= 2; + ny *= 2; + } +@@ -463,7 +462,7 @@ MagickBooleanType sixel_decode(Image *image, + max_color_index = color_index; + } + if ((b = *(p++) - '?') == 0) { +- posision_x += repeat_count; ++ position_x += repeat_count; + + } else { + sixel_vertical_mask = 0x01; +@@ -471,23 +470,23 @@ MagickBooleanType sixel_decode(Image *image, + if (repeat_count <= 1) { + for (i = 0; i < 6; i++) { + if ((b & sixel_vertical_mask) != 0) { +- offset=(size_t) imsx * (posision_y + i) + posision_x; +- if (offset >= (size_t) imsx * imsy) ++ offset=imsx*(position_y+i)+position_x; ++ if (offset >= (imsx*imsy)) + { + imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); + return (MagickFalse); + } + imbuf[offset] = color_index; +- if (max_x < posision_x) { +- max_x = posision_x; ++ if (max_x < position_x) { ++ max_x = position_x; + } +- if (max_y < (posision_y + i)) { +- max_y = posision_y + i; ++ if (max_y < (position_y + i)) { ++ max_y = position_y + i; + } + } + sixel_vertical_mask <<= 1; + } +- posision_x += 1; ++ position_x += 1; + + } else { /* repeat_count > 1 */ + for (i = 0; i < 6; i++) { +@@ -499,20 +498,20 @@ MagickBooleanType sixel_decode(Image *image, + } + c <<= 1; + } +- for (y = posision_y + i; y < posision_y + i + n; ++y) { +- offset=(size_t) imsx * y + posision_x; +- if (offset + repeat_count >= (size_t) imsx * imsy) ++ for (y = position_y + i; y < position_y + i + n; ++y) { ++ offset=imsx*y+position_x; ++ if ((offset+repeat_count) >= (imsx*imsy)) + { + imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); + return (MagickFalse); + } + (void) memset(imbuf + offset, color_index, repeat_count); + } +- if (max_x < (posision_x + repeat_count - 1)) { +- max_x = posision_x + repeat_count - 1; ++ if (max_x < (position_x + repeat_count - 1)) { ++ max_x = position_x + repeat_count - 1; + } +- if (max_y < (posision_y + i + n - 1)) { +- max_y = posision_y + i + n - 1; ++ if (max_y < (position_y + i + n - 1)) { ++ max_y = position_y + i + n - 1; + } + + i += (n - 1); +@@ -520,7 +519,7 @@ MagickBooleanType sixel_decode(Image *image, + } + sixel_vertical_mask <<= 1; + } +- posision_x += repeat_count; ++ position_x += repeat_count; + } + } + repeat_count = 1; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25983.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25983.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25983.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25983.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,78 @@ +From: Dirk Lemstra +Date: Mon, 26 Jan 2026 21:11:02 +0100 +Subject: Run checks before accessing the image + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwqw-2x5x-w566). + +(cherry picked from commit e5d3ca6dfb76dccb5bdf73c74135e0fde2f9d0b7) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/e5d3ca6dfb76dccb5bdf73c74135e0fde2f9d0b7 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwqw-2x5x-w566 +--- + coders/msl.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index ed89da4..be7cb2a 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -5161,20 +5161,19 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag,"repage") == 0) + { +- /* init the values */ +- width=msl_info->image[n]->page.width; +- height=msl_info->image[n]->page.height; +- x=msl_info->image[n]->page.x; +- y=msl_info->image[n]->page.y; +- + if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); + break; + } ++ /* init the values */ ++ width=msl_info->image[n]->page.width; ++ height=msl_info->image[n]->page.height; ++ x=msl_info->image[n]->page.x; ++ y=msl_info->image[n]->page.y; + if (attributes == (const xmlChar **) NULL) +- break; ++ break; + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) + { + keyword=(const char *) attributes[i++]; +@@ -5527,7 +5526,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); + break; +- } ++ } + SetGeometry(msl_info->image[n],&geometry); + if (attributes != (const xmlChar **) NULL) + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) +@@ -5596,19 +5595,18 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag,"roll") == 0) + { +- /* init the values */ +- width=msl_info->image[n]->columns; +- height=msl_info->image[n]->rows; +- x = y = 0; +- + if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); + break; + } ++ /* init the values */ ++ width=msl_info->image[n]->columns; ++ height=msl_info->image[n]->rows; ++ x = y = 0; + if (attributes == (const xmlChar **) NULL) +- break; ++ break; + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) + { + keyword=(const char *) attributes[i++]; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25986.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25986.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25986.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25986.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Sat, 7 Feb 2026 17:42:06 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2 + +a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. + +(cherry picked from commit 99340686966580c06a1599e247dc41fb59a430c8) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/99340686966580c06a1599e247dc41fb59a430c8 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2 +--- + coders/yuv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/yuv.c b/coders/yuv.c +index f69e0e7..2e74f17 100644 +--- a/coders/yuv.c ++++ b/coders/yuv.c +@@ -261,7 +261,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) + chroma_image->columns,1,exception); + if (chroma_pixels == (PixelPacket *) NULL) + break; +- for (x=0; x < (ssize_t) image->columns; x+=2) ++ for (x=0; x < (ssize_t) (image->columns-1); x+=2) + { + SetPixelRed(chroma_pixels,0); + if (quantum == 1) +@@ -719,7 +719,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image) + &chroma_image->exception); + if (s == (const PixelPacket *) NULL) + break; +- for (x=0; x < (ssize_t) yuv_image->columns; x+=2) ++ for (x=0; x < (ssize_t) (yuv_image->columns-1); x+=2) + { + if (quantum == 1) + { diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25987.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25987.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25987.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25987.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Sat, 7 Feb 2026 18:03:17 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7 + +A heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. + +(cherry picked from commit a842cd896a19744b5577b6113990faaae14569b0) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/a842cd896a19744b5577b6113990faaae14569b0 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7 +--- + coders/map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/map.c b/coders/map.c +index 901f250..b686fe5 100644 +--- a/coders/map.c ++++ b/coders/map.c +@@ -164,6 +164,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (status == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + depth=GetImageQuantumDepth(image,MagickTrue); ++ if ((depth <= 8) && (image->colors > 256)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + packet_size=(size_t) (depth/8); + pixels=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size* + sizeof(*pixels)); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25988.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25988.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25988.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25988.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,45 @@ +From: Cristy +Date: Sat, 7 Feb 2026 17:53:15 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7 + +sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks + +(cherry picked from commit d2e99064d65f5955f39d92e4b208089409118683) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/d2e99064d65f5955f39d92e4b208089409118683 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7 +--- + coders/msl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index be7cb2a..0bc1ded 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -554,7 +554,7 @@ static void MSLEndDocument(void *context) + #endif + } + +-static void MSLPushImage(MSLInfo *msl_info,Image *image) ++static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image) + { + ssize_t + n; +@@ -590,6 +590,7 @@ static void MSLPushImage(MSLInfo *msl_info,Image *image) + ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed"); + if (msl_info->number_groups != 0) + msl_info->group_info[msl_info->number_groups-1].numImages++; ++ return(n); + } + + static void MSLPopImage(MSLInfo *msl_info) +@@ -3376,7 +3377,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare((const char *) tag,"image") == 0) + { +- MSLPushImage(msl_info,(Image *) NULL); ++ n=MSLPushImage(msl_info,(Image *) NULL); + if (attributes == (const xmlChar **) NULL) + break; + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,52 @@ +From: Cristy +Date: Sat, 7 Feb 2026 16:06:29 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7355-pwx2-pm84 + +(cherry picked from commit 7fc7208f8f3073d768b8b1658fd6ecda1ef6e1c5) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/7fc7208f8f3073d768b8b1658fd6ecda1ef6e1c5 +--- + magick/image-private.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/magick/image-private.h b/magick/image-private.h +index d8ce7ae..3ba4383 100644 +--- a/magick/image-private.h ++++ b/magick/image-private.h +@@ -72,7 +72,7 @@ static inline int CastDoubleToInt(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) MAGICK_INT_MAX)) ++ if (value >= ((double) MAGICK_INT_MAX)) + { + errno=ERANGE; + return(MAGICK_INT_MAX); +@@ -96,7 +96,7 @@ static inline ssize_t CastDoubleToLong(const double x) + errno=ERANGE; + return(MAGICK_SSIZE_MIN); + } +- if (value > ((double) MAGICK_SSIZE_MAX)) ++ if (value >= ((double) MAGICK_SSIZE_MAX)) + { + errno=ERANGE; + return(MAGICK_SSIZE_MAX); +@@ -120,7 +120,7 @@ static inline QuantumAny CastDoubleToQuantumAny(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) ((QuantumAny) ~0))) ++ if (value >= ((double) ((QuantumAny) ~0))) + { + errno=ERANGE; + return((QuantumAny) ~0); +@@ -144,7 +144,7 @@ static inline size_t CastDoubleToUnsigned(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) MAGICK_SIZE_MAX)) ++ if (value >= ((double) MAGICK_SIZE_MAX)) + { + errno=ERANGE; + return(MAGICK_SIZE_MAX); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre1.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,109 @@ +From: Cristy +Date: Sat, 18 Oct 2025 10:55:01 -0400 +Subject: optimize cast methods + +(cherry picked from commit 638ef47e90fe7de9717cf96018a271bf256ad080) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/638ef47e90fe7de9717cf96018a271bf256ad080 +--- + magick/image-private.h | 58 ++++++++++++++++++++++++++++---------------------- + 1 file changed, 33 insertions(+), 25 deletions(-) + +diff --git a/magick/image-private.h b/magick/image-private.h +index bfe0a81..f6050ab 100644 +--- a/magick/image-private.h ++++ b/magick/image-private.h +@@ -38,6 +38,8 @@ extern "C" { + #define MagickPHI 1.61803398874989484820458683436563811772030917980576 + #define MagickPI2 1.57079632679489661923132169163975144209858469968755 + #define MagickPI 3.14159265358979323846264338327950288419716939937510 ++#define MAGICK_PTRDIFF_MAX (PTRDIFF_MAX) ++#define MAGICK_PTRDIFF_MIN (-PTRDIFF_MAX-1) + #define MagickSQ1_2 0.70710678118654752440084436210484903928483593768847 + #define MagickSQ2 1.41421356237309504880168872420969807856967187537695 + #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062 +@@ -63,36 +65,42 @@ static inline size_t CastDoubleToLong(const double x) + errno=ERANGE; + return(0); + } +- if (x < 0.0) ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < ((double) MAGICK_SSIZE_MIN)) + { +- value=ceil(x); +- if (value < ((double) MAGICK_SSIZE_MIN)) +- { +- errno=ERANGE; +- return((ssize_t) MAGICK_SSIZE_MIN); +- } ++ errno=ERANGE; ++ return(MAGICK_SSIZE_MIN); + } +- else ++ if (value > ((double) MAGICK_SSIZE_MAX)) + { +- value=floor(x); +- if (value > ((double) MAGICK_SSIZE_MAX)) +- { +- errno=ERANGE; +- return((ssize_t) MAGICK_SSIZE_MAX); +- } ++ errno=ERANGE; ++ return(MAGICK_SSIZE_MAX); + } + return((ssize_t) value); + } + + static inline QuantumAny CastDoubleToQuantumAny(const double x) + { ++ double ++ value; ++ + if (IsNaN(x) != 0) +- return(0); +- if (x > ((double) ((QuantumAny) ~0))) +- return((QuantumAny) ~0); +- if (x < 0.0) +- return(0.0); +- return((QuantumAny) (x+0.5)); ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ if (value > ((double) ((QuantumAny) ~0))) ++ { ++ errno=ERANGE; ++ return((QuantumAny) ~0); ++ } ++ return((QuantumAny) value); + } + + static inline size_t CastDoubleToUnsigned(const double x) +@@ -105,16 +113,16 @@ static inline size_t CastDoubleToUnsigned(const double x) + errno=ERANGE; + return(0); + } +- value=floor(x); +- if (value >= ((double) MAGICK_SIZE_MAX)) ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) + { + errno=ERANGE; +- return((size_t) MAGICK_SIZE_MAX); ++ return(0); + } +- if (value < 0.0) ++ if (value > ((double) MAGICK_SIZE_MAX)) + { + errno=ERANGE; +- return(0); ++ return(MAGICK_SIZE_MAX); + } + return((size_t) value); + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25989_pre2.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,85 @@ +From: Cristy +Date: Wed, 4 Feb 2026 19:23:41 -0500 +Subject: https://github.com/ImageMagick/ImageMagick/issues/8556 + +(cherry picked from commit 370cdbdfd5ede94c2136d4cf20fe1aab21e38388) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/370cdbdfd5ede94c2136d4cf20fe1aab21e38388 +--- + coders/dcm.c | 9 +++++---- + magick/image-private.h | 27 ++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 5 deletions(-) + +diff --git a/coders/dcm.c b/coders/dcm.c +index 6c6da95..f28d813b 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -2918,7 +2918,7 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info, + + scaled_value=pixel_value*info->rescale_slope+ + info->rescale_intercept; +- index=(int) scaled_value; ++ index=CastDoubleToInt(scaled_value); + if (info->window_width != 0) + { + double +@@ -2933,10 +2933,11 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info, + index=0; + else + if (scaled_value > window_max) +- index=(int) info->max_value; ++ index=CastDoubleToInt(info->max_value); + else +- index=(int) (info->max_value*(((scaled_value- +- info->window_center-0.5)/(info->window_width-1))+0.5)); ++ index=CastDoubleToInt(info->max_value*(((scaled_value- ++ info->window_center-0.5)*MagickSafeReciprocal( ++ info->window_width-1.0))+0.5)); + } + } + index&=info->mask; +diff --git a/magick/image-private.h b/magick/image-private.h +index f6050ab..d8ce7ae 100644 +--- a/magick/image-private.h ++++ b/magick/image-private.h +@@ -35,6 +35,7 @@ extern "C" { + #define MagickAbsoluteValue(x) ((x) < 0 ? -(x) : (x)) + #define MagickMax(x,y) (((x) > (y)) ? (x) : (y)) + #define MagickMin(x,y) (((x) < (y)) ? (x) : (y)) ++#define MAGICK_INT_MAX (INT_MAX) + #define MagickPHI 1.61803398874989484820458683436563811772030917980576 + #define MagickPI2 1.57079632679489661923132169163975144209858469968755 + #define MagickPI 3.14159265358979323846264338327950288419716939937510 +@@ -55,7 +56,31 @@ extern "C" { + #define UndefinedCompressionQuality 0UL + #define UndefinedTicksPerSecond 100L + +-static inline size_t CastDoubleToLong(const double x) ++static inline int CastDoubleToInt(const double x) ++{ ++ double ++ value; ++ ++ if (IsNaN(x) != 0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ if (value > ((double) MAGICK_INT_MAX)) ++ { ++ errno=ERANGE; ++ return(MAGICK_INT_MAX); ++ } ++ return((int) value); ++} ++ ++static inline ssize_t CastDoubleToLong(const double x) + { + double + value; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26066.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26066.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26066.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26066.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,47 @@ +From: Dirk Lemstra +Date: Thu, 12 Feb 2026 07:48:16 +0100 +Subject: Fixed possible infinite loop + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3) + +(cherry picked from commit c20c915e2fea200b6210b4759a6f83bba077ed78) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/c20c915e2fea200b6210b4759a6f83bba077ed78 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3 +--- + coders/meta.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/coders/meta.c b/coders/meta.c +index a1e602b..de494b5 100644 +--- a/coders/meta.c ++++ b/coders/meta.c +@@ -1951,7 +1951,7 @@ static int formatIPTC(Image *ifile, Image *ofile) + foundiptc = 0; /* found the IPTC-Header */ + tagsfound = 0; /* number of tags found */ + +- c = ReadBlobByte(ifile); ++ c=ReadBlobByte(ifile); + while (c != EOF) + { + if (c == 0x1c) +@@ -1962,17 +1962,17 @@ static int formatIPTC(Image *ifile, Image *ofile) + return(-1); + else + { +- c=0; ++ c=ReadBlobByte(ifile); + continue; + } + } + + /* we found the 0x1c tag and now grab the dataset and record number tags */ +- c = ReadBlobByte(ifile); ++ c=ReadBlobByte(ifile); + if (c == EOF) + return(-1); + dataset = (unsigned char) c; +- c = ReadBlobByte(ifile); ++ c=ReadBlobByte(ifile); + if (c == EOF) + return(-1); + recnum = (unsigned char) c; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26283.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26283.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26283.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-26283.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,36 @@ +From: Cristy +Date: Fri, 13 Feb 2026 18:57:13 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v + +a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. + +(cherry picked from commit 8b47529f22404853d22205583087add01ea9fae8) + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/8b47529f22404853d22205583087add01ea9fae8 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v +--- + coders/jpeg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/coders/jpeg.c b/coders/jpeg.c +index 02af2bb..c238b00 100644 +--- a/coders/jpeg.c ++++ b/coders/jpeg.c +@@ -2552,12 +2552,14 @@ static MagickBooleanType WriteJPEGImage_(const ImageInfo *image_info, + { + (void) AcquireUniqueFilename(jpeg_image->filename); + jpeg_image->quality=minimum+(maximum-minimum+1)/2; +- (void) WriteJPEGImage(jpeg_info,jpeg_image); ++ status=WriteJPEGImage(jpeg_info,jpeg_image); ++ (void) RelinquishUniqueFileResource(jpeg_image->filename); ++ if (status == MagickFalse) ++ break; + if (GetBlobSize(jpeg_image) <= extent) + minimum=jpeg_image->quality+1; + else + maximum=jpeg_image->quality-1; +- (void) RelinquishUniqueFileResource(jpeg_image->filename); + } + quality=(int) minimum-1; + jpeg_image=DestroyImage(jpeg_image); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27798.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27798.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27798.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27798.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,29 @@ +From: Cristy +Date: Tue, 17 Feb 2026 20:14:57 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f + +a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator + +origin: https://github.com/ImageMagick/ImageMagick6/commit/59edeec2b2adf2ca37454d622f3bca2a61893146 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f +--- + magick/visual-effects.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/magick/visual-effects.c b/magick/visual-effects.c +index b263978..2e78057 100644 +--- a/magick/visual-effects.c ++++ b/magick/visual-effects.c +@@ -3530,9 +3530,9 @@ MagickExport Image *WaveletDenoiseImage(const Image *image, + noise_image=DestroyImage(noise_image); + return((Image *) NULL); + } +- if (AcquireMagickResource(WidthResource,3*image->columns) == MagickFalse) ++ if (AcquireMagickResource(WidthResource,4*image->columns) == MagickFalse) + ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); +- pixels_info=AcquireVirtualMemory(3*image->columns,image->rows* ++ pixels_info=AcquireVirtualMemory(4*image->columns,image->rows* + sizeof(*pixels)); + kernel=(float *) AcquireQuantumMemory(MagickMax(image->rows,image->columns)+1, + GetOpenMPMaximumThreads()*sizeof(*kernel)); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27799.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27799.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27799.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-27799.patch 2026-03-06 16:54:58.000000000 +0000 @@ -0,0 +1,28 @@ +From: Dirk Lemstra +Date: Tue, 10 Feb 2026 21:30:34 +0100 +Subject: Corrected type to avoid an overflow + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r99p-5442-q2x2) + +(cherry picked from commit 958ca384aa84ca48fbe3af07bb8d1708ab4d6143) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/958ca384aa84ca48fbe3af07bb8d1708ab4d6143 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r99p-5442-q2x2 +--- + coders/djvu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/coders/djvu.c b/coders/djvu.c +index 32f4f55..dffcbf8 100644 +--- a/coders/djvu.c ++++ b/coders/djvu.c +@@ -333,7 +333,9 @@ get_page_image(LoadContext *lc, ddjvu_page_t *page, int x, int y, int w, int h, + *image; + + int +- ret, ++ ret; ++ ++ size_t + stride; + + unsigned char diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2026-01-21 21:54:51.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2026-03-06 16:54:58.000000000 +0000 @@ -105,3 +105,32 @@ CVE-2026-23874.patch CVE-2026-23876.patch CVE-2026-23952.patch +CVE-2026-24481.patch +CVE-2026-24484_1.patch +CVE-2026-24484_2.patch +CVE-2026-24485.patch +CVE-2026-25576_1.patch +CVE-2026-25576_2.patch +CVE-2026-25638.patch +CVE-2026-25795.patch +CVE-2026-25796.patch +CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch +CVE-2026-25797_1_post.patch +CVE-2026-25797_2.patch +CVE-2026-25798.patch +CVE-2026-25799.patch +CVE-2026-25897.patch +CVE-2026-25898_1.patch +CVE-2026-25898_2.patch +CVE-2026-25970.patch +CVE-2026-25983.patch +CVE-2026-25986.patch +CVE-2026-25987.patch +CVE-2026-25988.patch +CVE-2026-25989_pre1.patch +CVE-2026-25989_pre2.patch +CVE-2026-25989.patch +CVE-2026-26066.patch +CVE-2026-26283.patch +CVE-2026-27798.patch +CVE-2026-27799.patch