Version in base suite: 3.4.3~rc2-2

Base version: php-imagick_3.4.3~rc2-2
Target version: php-imagick_3.4.3~rc2-2+deb9u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-imagick/php-imagick_3.4.3~rc2-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-imagick/php-imagick_3.4.3~rc2-2+deb9u1.dsc

 changelog                                                                        |    8 
 patches/CVE-2019-11037/0001-Bounds-check-kernel-origin-position.patch            |  183 ++++++++++
 patches/CVE-2019-11037/0002-avoid-unsigned-less-than-equal-warning.patch         |   63 +++
 patches/CVE-2019-11037/0003-Typo.patch                                           |   28 +
 patches/CVE-2019-11037/0004-Change-to-unsigned-long-to-avoid-C-complaining.patch |   48 ++
 patches/CVE-2019-11037/0005-Correcting-signed-unsigned-checking.patch            |   39 ++
 patches/CVE-2019-11037/0006-And-so-the-long-day-wore-on.patch                    |   47 ++
 patches/CVE-2019-11037/0008-Corrected-typo-for-columns-rows.patch                |  102 +++++
 patches/series                                                                   |    7 
 9 files changed, 525 insertions(+)

diff -Nru php-imagick-3.4.3~rc2/debian/changelog php-imagick-3.4.3~rc2/debian/changelog
--- php-imagick-3.4.3~rc2/debian/changelog	2017-01-24 11:47:41.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/changelog	2019-11-24 13:34:13.000000000 +0000
@@ -1,3 +1,11 @@
+php-imagick (3.4.3~rc2-2+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Out-of-bounds write to memory in ImagickKernel::fromMatrix()
+    (CVE-2019-11037) (Closes: #928420)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 24 Nov 2019 14:34:13 +0100
+
 php-imagick (3.4.3~rc2-2) unstable; urgency=medium
 
   [ Jeremy Bicha ]
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0001-Bounds-check-kernel-origin-position.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0001-Bounds-check-kernel-origin-position.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0001-Bounds-check-kernel-origin-position.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0001-Bounds-check-kernel-origin-position.patch	2019-11-24 13:17:38.000000000 +0000
@@ -0,0 +1,183 @@
+From: Danack <Danack@basereality.com>
+Date: Tue, 26 Mar 2019 13:48:27 +0000
+Subject: [1/8] Bounds check kernel origin position.
+Origin: https://github.com/mkoppanen/imagick/commit/7187b37250b87edb75160c7beda980f2fa308f5d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+---
+ imagickkernel_class.c                         | 45 ++++++++++++
+ ...magickkernel_exception_invalid_origin.phpt | 69 +++++++++++++++++++
+ 2 files changed, 114 insertions(+)
+ create mode 100644 tests/280_imagickkernel_exception_invalid_origin.phpt
+
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -215,6 +215,8 @@ PHP_METHOD(imagickkernel, __construct)
+ #define MATRIX_ERROR_UNEVEN "Values must be matrix, with the same number of columns in each row."
+ #define MATRIX_ERROR_BAD_VALUE "Only numbers or false are valid values in a kernel matrix."
+ #define MATRIX_ORIGIN_REQUIRED "For kernels with even numbered rows or columns, the origin position must be specified."
++#define MATRIX_ORIGIN_OUT_OF_BOUNDS_X "Matrix origin_x is out of bounds"
++#define MATRIX_ORIGIN_OUT_OF_BOUNDS_Y "Matrix origin_y is out of bounds"
+ 
+ /* {{{ proto ImagickKernel ImagickKernel::fromMatrix(array matrix, [array origin])
+ 	Create a kernel from an 2d matrix of values. Each value should either be a float 
+@@ -337,6 +339,8 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	else {
+ 		HashTable *origin_array_ht;
+ 		origin_array_ht = Z_ARRVAL_P(origin_array);
++
++		// parse the origin_x
+ 		tmp = zend_hash_index_find(origin_array_ht, 0);
+ 		if (tmp != NULL) {
+ 			ZVAL_DEREF(tmp);
+@@ -346,6 +350,17 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
++		if (origin_x<0 || origin_x>=num_columns) {
++			zend_throw_exception_ex(
++				php_imagickkernel_exception_class_entry,
++				5 TSRMLS_CC,
++				"origin_x for matrix is outside bounds of columns: " ZEND_LONG_FMT,
++				origin_x
++			);
++			goto cleanup;
++		}
++
++		// parse the origin_y
+ 		tmp = zend_hash_index_find(origin_array_ht, 1);
+ 		if (tmp != NULL) {
+ 			ZVAL_DEREF(tmp);
+@@ -355,6 +370,15 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
++		if (origin_y<0 || origin_y>=num_columns) {
++			zend_throw_exception_ex(
++				php_imagickkernel_exception_class_entry,
++				5 TSRMLS_CC,
++				"origin_y for matrix is outside bounds of rows: " ZEND_LONG_FMT,
++				origin_x
++			);
++			goto cleanup;
++		}
+ 	}
+ 
+ 	kernel_info = imagick_createKernel(values, num_columns, num_rows, origin_x, origin_y);
+@@ -481,6 +505,8 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	}
+ 	else {
+ 		origin_array_ht = Z_ARRVAL_P(origin_array);
++
++		// parse and check the origin_x
+ 		if (zend_hash_index_find(origin_array_ht, 0, (void**)&tmp) == SUCCESS) {
+ 			origin_x = Z_LVAL_PP(tmp);
+ 		}
+@@ -488,7 +514,17 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
++		if (origin_x<0 || origin_x>=num_columns) {
++			zend_throw_exception_ex(
++				php_imagickkernel_exception_class_entry,
++				5 TSRMLS_CC,
++				"origin_x for matrix is outside bounds of columns: %d",
++				origin_x
++			);
++			goto cleanup;
++		}
+ 
++        // parse and check the origin_y
+ 		if (zend_hash_index_find(origin_array_ht, 1, (void**)&tmp) == SUCCESS) {
+ 			origin_y = Z_LVAL_PP(tmp);
+ 		}
+@@ -496,6 +532,15 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
++		if (origin_y<0 || origin_y>=num_columns) {
++			zend_throw_exception_ex(
++				php_imagickkernel_exception_class_entry,
++				5 TSRMLS_CC,
++				"origin_y for matrix is outside bounds of rows: %d",
++				origin_y
++			);
++			goto cleanup;
++		}
+ 	}
+ 
+ 	kernel_info = imagick_createKernel(values, num_columns, num_rows, origin_x, origin_y);
+--- /dev/null
++++ b/imagick-3.4.3RC2/tests/280_imagickkernel_exception_invalid_origin.phpt
+@@ -0,0 +1,69 @@
++--TEST--
++ImagickKernel::fromMatrix exceptions
++--SKIPIF--
++<?php 
++
++$imageMagickRequiredVersion = 0x680;
++require_once(dirname(__FILE__) . '/skipif.inc');
++ 
++?>
++--FILE--
++<?php
++
++
++$kernelArray = array(
++	array(1, 0, -1),
++	array(1, 0, -1),
++	array(1, 0, -1),
++);
++
++$validOrigins = [
++    [0, 0],
++    [2, 0],
++    [0, 2],
++    [2, 2],
++    [1, 2]
++];
++
++$invalidOrigins = [
++    [-1, 0],
++    [3, 0],
++    [0, 3],
++    [3, 3],
++    [1, 0xffff0000],
++];
++
++
++foreach ($validOrigins as $validOrigin) {
++    try {
++        $kernel = ImagickKernel::fromMatrix($kernelArray, $validOrigin);
++    }
++    catch (\Exception $e) {
++        echo "unexpected exception: " . $e->getMessage();
++    }
++}
++
++foreach ($invalidOrigins as $invalidOrigin) {
++    try {
++        $kernel = ImagickKernel::fromMatrix($kernelArray, $invalidOrigin);
++        echo "Exception wasn't thrown for case: \n";
++        var_dump($invalidOrigin);
++    }
++    catch (\ImagickKernelException $e) {
++        $message = $e->getMessage();
++        if (strpos($message, "origin_y for matrix is outside bounds of rows") === 0) {
++            // this is fine.
++        }
++        else if (strpos($message, "origin_x for matrix is outside bounds of columns") === 0) {
++            // this is fine.
++        }
++        else {
++            echo "Unexpected message: " . $message . "\n";
++        }
++    }
++}
++
++echo "Complete".PHP_EOL;
++?>
++--EXPECTF--
++Complete
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0002-avoid-unsigned-less-than-equal-warning.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0002-avoid-unsigned-less-than-equal-warning.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0002-avoid-unsigned-less-than-equal-warning.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0002-avoid-unsigned-less-than-equal-warning.patch	2019-11-24 13:06:00.000000000 +0000
@@ -0,0 +1,63 @@
+From: Danack <Danack@basereality.com>
+Date: Tue, 26 Mar 2019 13:56:32 +0000
+Subject: [2/8] avoid unsigned less than equal warning.
+Origin: https://github.com/mkoppanen/imagick/commit/c75c023ed9cd6c0e4e737af1e5c20fc2eae58c6d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+---
+ imagickkernel_class.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/imagickkernel_class.c b/imagickkernel_class.c
+index e0a46e873a3a..ebd394688692 100644
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -353,7 +353,9 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
+-		if (origin_x<0 || origin_x>=num_columns) {
++		// origin_x is unsigned, so checking for > num_columns, also
++		// checks for < 0
++		if (origin_x>=num_columns) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+ 				5 TSRMLS_CC,
+@@ -373,6 +375,8 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
++		// origin_y is unsigned, so checking for > num_columns, also
++		// checks for < 0
+ 		if (origin_y<0 || origin_y>=num_columns) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+@@ -517,7 +521,10 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
+-		if (origin_x<0 || origin_x>=num_columns) {
++
++		// origin_x is unsigned, so checking for > num_columns, also
++		// checks for < 0
++		if (origin_x>=num_columns) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+ 				5 TSRMLS_CC,
+@@ -535,7 +542,10 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
+-		if (origin_y<0 || origin_y>=num_columns) {
++
++		// origin_y is unsigned, so checking for > num_columns, also
++		// checks for < 0
++		if (origin_y>=num_columns) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+ 				5 TSRMLS_CC,
+-- 
+2.20.1
+
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0003-Typo.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0003-Typo.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0003-Typo.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0003-Typo.patch	2019-11-24 13:06:00.000000000 +0000
@@ -0,0 +1,28 @@
+From: Danack <Danack@basereality.com>
+Date: Tue, 26 Mar 2019 14:00:24 +0000
+Subject: [3/8] Typo.
+Origin: https://github.com/mkoppanen/imagick/commit/d1c4f87142c596df52bbd2c84e236aa9e9f7a0f8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+---
+ imagickkernel_class.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/imagickkernel_class.c b/imagickkernel_class.c
+index ebd394688692..1ab9dc1d330e 100644
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -377,7 +377,7 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 		}
+ 		// origin_y is unsigned, so checking for > num_columns, also
+ 		// checks for < 0
+-		if (origin_y<0 || origin_y>=num_columns) {
++		if (origin_y>=num_columns) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+ 				5 TSRMLS_CC,
+-- 
+2.20.1
+
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0004-Change-to-unsigned-long-to-avoid-C-complaining.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0004-Change-to-unsigned-long-to-avoid-C-complaining.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0004-Change-to-unsigned-long-to-avoid-C-complaining.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0004-Change-to-unsigned-long-to-avoid-C-complaining.patch	2019-11-24 13:18:25.000000000 +0000
@@ -0,0 +1,48 @@
+From: Danack <Danack@basereality.com>
+Date: Tue, 26 Mar 2019 14:06:21 +0000
+Subject: [4/8] Change to unsigned long to avoid C complaining.
+Origin: https://github.com/mkoppanen/imagick/commit/8f6c7f179b7c66b72d97dfce9bf156d773bf9581
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+---
+ imagickkernel_class.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -215,8 +215,6 @@ PHP_METHOD(imagickkernel, __construct)
+ #define MATRIX_ERROR_UNEVEN "Values must be matrix, with the same number of columns in each row."
+ #define MATRIX_ERROR_BAD_VALUE "Only numbers or false are valid values in a kernel matrix."
+ #define MATRIX_ORIGIN_REQUIRED "For kernels with even numbered rows or columns, the origin position must be specified."
+-#define MATRIX_ORIGIN_OUT_OF_BOUNDS_X "Matrix origin_x is out of bounds"
+-#define MATRIX_ORIGIN_OUT_OF_BOUNDS_Y "Matrix origin_y is out of bounds"
+ 
+ /* {{{ proto ImagickKernel ImagickKernel::fromMatrix(array matrix, [array origin])
+ 	Create a kernel from an 2d matrix of values. Each value should either be a float 
+@@ -231,7 +229,7 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	zval *origin_array;
+ 	HashTable *inner_array;
+ 	KernelInfo *kernel_info;
+-	long num_rows, num_columns;
++	unsigned long num_rows, num_columns = 0;
+ 	int previous_num_columns;
+ 	int row, column;
+ 
+@@ -405,7 +403,7 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	zval *origin_array;
+ 	HashTable *inner_array;
+ 	KernelInfo *kernel_info;
+-	long num_rows, num_columns;
++	unsigned long num_rows, num_columns = 0;
+ 	int previous_num_columns;
+ 	int row, column;
+ 
+@@ -845,4 +843,4 @@ PHP_METHOD(imagickkernel, addunitykernel
+ }
+ /* }}} */
+ 
+-#endif
+\ No newline at end of file
++#endif
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0005-Correcting-signed-unsigned-checking.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0005-Correcting-signed-unsigned-checking.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0005-Correcting-signed-unsigned-checking.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0005-Correcting-signed-unsigned-checking.patch	2019-11-24 13:13:08.000000000 +0000
@@ -0,0 +1,39 @@
+From: Danack <Danack@basereality.com>
+Date: Tue, 26 Mar 2019 14:18:22 +0000
+Subject: [5/8] Correcting signed/unsigned checking.
+Origin: https://github.com/mkoppanen/imagick/commit/f3eadc8dad2afd0214e54e0fdd2fdd3de7fcc0e8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+---
+ imagickkernel_class.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/imagickkernel_class.c b/imagickkernel_class.c
+index 7e94bb3c4fc9..6f5786d08955 100644
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -407,8 +407,8 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	HashTable *inner_array;
+ 	KernelInfo *kernel_info;
+ 	unsigned long num_rows, num_columns = 0;
+-	int previous_num_columns;
+-	int row, column;
++	unsigned int previous_num_columns = (unsigned int)-1;
++	unsigned int row, column;
+ 
+ 	HashTable *origin_array_ht;
+ 	zval **ppzval_outer;
+@@ -460,7 +460,7 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 				values = (KernelValueType *)AcquireAlignedMemory(num_columns, num_rows*sizeof(KernelValueType));
+ 			}
+ 
+-			if (previous_num_columns != -1) {
++			if (previous_num_columns != ((unsigned int)-1)) {
+ 				if (previous_num_columns != num_columns) {
+ 					php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ERROR_UNEVEN TSRMLS_CC);
+ 					goto cleanup;
+-- 
+2.20.1
+
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0006-And-so-the-long-day-wore-on.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0006-And-so-the-long-day-wore-on.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0006-And-so-the-long-day-wore-on.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0006-And-so-the-long-day-wore-on.patch	2019-11-24 13:13:08.000000000 +0000
@@ -0,0 +1,47 @@
+From: Danack <Danack@basereality.com>
+Date: Tue, 26 Mar 2019 14:26:42 +0000
+Subject: [6/8] And so the long day wore on.
+Origin: https://github.com/mkoppanen/imagick/commit/33f6ca9ffa5ff557d5da5c6e844d52bd98322886
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+---
+ imagickkernel_class.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/imagickkernel_class.c b/imagickkernel_class.c
+index 6f5786d08955..0f714ea26b68 100644
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -233,8 +233,8 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	HashTable *inner_array;
+ 	KernelInfo *kernel_info;
+ 	unsigned long num_rows, num_columns = 0;
+-	int previous_num_columns;
+-	int row, column;
++	unsigned int previous_num_columns = (unsigned int)-1;
++	unsigned int row, column;
+ 
+ 	zval *pzval_outer;
+ 	zval *pzval_inner;
+@@ -246,7 +246,6 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 	KernelValueType *values = NULL;
+ 	double notanumber = sqrt((double)-1.0);  /* Special Value : Not A Number */
+ 
+-	previous_num_columns = -1;
+ 	count = 0;
+ 	row = 0;
+ 	origin_array = NULL;
+@@ -287,7 +286,7 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 				values = (KernelValueType *)AcquireAlignedMemory(num_columns, num_rows*sizeof(KernelValueType));
+ 			}
+ 
+-			if (previous_num_columns != -1) {
++			if (previous_num_columns != ((unsigned int)-1)) {
+ 				if (previous_num_columns != num_columns) {
+ 					php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ERROR_UNEVEN TSRMLS_CC);
+ 					goto cleanup;
+-- 
+2.20.1
+
diff -Nru php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0008-Corrected-typo-for-columns-rows.patch php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0008-Corrected-typo-for-columns-rows.patch
--- php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0008-Corrected-typo-for-columns-rows.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/CVE-2019-11037/0008-Corrected-typo-for-columns-rows.patch	2019-11-24 13:06:00.000000000 +0000
@@ -0,0 +1,102 @@
+From: Danack <Danack@basereality.com>
+Date: Wed, 27 Mar 2019 13:35:28 +0000
+Subject: [8/8] Corrected typo for columns => rows.
+Origin: https://github.com/mkoppanen/imagick/commit/a827e4fd94aba346e919dc2ae8e8da2cec5a7445
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11037
+Bug-Debian: https://bugs.debian.org/928420
+Bug: https://bugs.php.net/bug.php?id=77791
+
+Added test to check for that explicitly.
+---
+ imagickkernel_class.c                         |  8 ++--
+ ...magickkernel_exception_invalid_origin.phpt | 46 +++++++++++++++++++
+ 2 files changed, 50 insertions(+), 4 deletions(-)
+
+diff --git a/imagickkernel_class.c b/imagickkernel_class.c
+index 0f714ea26b68..7504d299e179 100644
+--- a/imagick-3.4.3RC2/imagickkernel_class.c
++++ b/imagick-3.4.3RC2/imagickkernel_class.c
+@@ -372,9 +372,9 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			php_imagick_throw_exception(IMAGICKKERNEL_CLASS, MATRIX_ORIGIN_REQUIRED TSRMLS_CC);
+ 			goto cleanup;
+ 		}
+-		// origin_y is unsigned, so checking for > num_columns, also
++		// origin_y is unsigned, so checking for > num_rows, also
+ 		// checks for < 0
+-		if (origin_y>=num_columns) {
++		if (origin_y>=num_rows) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+ 				5 TSRMLS_CC,
+@@ -540,9 +540,9 @@ PHP_METHOD(imagickkernel, frommatrix)
+ 			goto cleanup;
+ 		}
+ 
+-		// origin_y is unsigned, so checking for > num_columns, also
++		// origin_y is unsigned, so checking for > num_rows, also
+ 		// checks for < 0
+-		if (origin_y>=num_columns) {
++		if (origin_y>=num_rows) {
+ 			zend_throw_exception_ex(
+ 				php_imagickkernel_exception_class_entry,
+ 				5 TSRMLS_CC,
+diff --git a/tests/280_imagickkernel_exception_invalid_origin.phpt b/tests/280_imagickkernel_exception_invalid_origin.phpt
+index a4db00b73297..66adcf0d4fe3 100644
+--- a/imagick-3.4.3RC2/tests/280_imagickkernel_exception_invalid_origin.phpt
++++ b/imagick-3.4.3RC2/tests/280_imagickkernel_exception_invalid_origin.phpt
+@@ -63,6 +63,52 @@ foreach ($invalidOrigins as $invalidOrigin) {
+     }
+ }
+ 
++$flatKernelArray = array(
++	array(1, 0, -2, 0, 1),
++);
++
++try {
++    $kernel = ImagickKernel::fromMatrix($flatKernelArray, [1, 4]);
++    echo "Exception wasn't thrown for case: \n";
++    var_dump($invalidOrigin);
++}
++catch (\ImagickKernelException $e) {
++    $message = $e->getMessage();
++    if (strpos($message, "origin_y for matrix is outside bounds of rows") === 0) {
++        // this is fine.
++    }
++    else {
++        echo "Unexpected message: " . $message . "\n";
++    }
++}
++
++
++$tallKernelArray = array(
++	array(1),
++	array(0),
++	array(-2),
++	array(0),
++	array(1),
++);
++
++
++try {
++    $kernel = ImagickKernel::fromMatrix($tallKernelArray, [4, 1]);
++    echo "Exception wasn't thrown for case: \n";
++    var_dump($invalidOrigin);
++}
++catch (\ImagickKernelException $e) {
++    $message = $e->getMessage();
++    if (strpos($message, "origin_x for matrix is outside bounds of columns") === 0) {
++        // this is fine.
++    }
++    else {
++        echo "Unexpected message: " . $message . "\n";
++    }
++}
++
++
++
+ echo "Complete".PHP_EOL;
+ ?>
+ --EXPECTF--
+-- 
+2.20.1
+
diff -Nru php-imagick-3.4.3~rc2/debian/patches/series php-imagick-3.4.3~rc2/debian/patches/series
--- php-imagick-3.4.3~rc2/debian/patches/series	2017-01-24 11:47:41.000000000 +0000
+++ php-imagick-3.4.3~rc2/debian/patches/series	2019-11-24 13:03:47.000000000 +0000
@@ -1,2 +1,9 @@
 0001-Hardcode-path-to-usrsharefontstruetypettf-dejavuDeja.patch
 0002-Skip-version-check-by-default.patch
+CVE-2019-11037/0001-Bounds-check-kernel-origin-position.patch
+CVE-2019-11037/0002-avoid-unsigned-less-than-equal-warning.patch
+CVE-2019-11037/0003-Typo.patch
+CVE-2019-11037/0004-Change-to-unsigned-long-to-avoid-C-complaining.patch
+CVE-2019-11037/0005-Correcting-signed-unsigned-checking.patch
+CVE-2019-11037/0006-And-so-the-long-day-wore-on.patch
+CVE-2019-11037/0008-Corrected-typo-for-columns-rows.patch