Version in base suite: 7.1.1.43+dfsg1-1+deb13u1 Base version: imagemagick_7.1.1.43+dfsg1-1+deb13u1 Target version: imagemagick_7.1.1.43+dfsg1-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u2.dsc changelog | 57 ++++++++ patches/CVE-2025-55004.patch | 62 ++++++++ patches/CVE-2025-55005.patch | 30 ++++ patches/CVE-2025-55154.patch | 76 ++++++++++ patches/CVE-2025-55212_1.patch | 25 +++ patches/CVE-2025-55212_2.patch | 46 ++++++ patches/CVE-2025-55298-1.patch | 62 ++++++++ patches/CVE-2025-55298-2.patch | 268 ++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-55298-pre1.patch | 200 ++++++++++++++++++++++++++++ patches/CVE-2025-55298-pre2.patch | 24 +++ patches/CVE-2025-55298-pre3.patch | 101 ++++++++++++++ patches/CVE-2025-57803.patch | 57 ++++++++ patches/CVE-2025-57807.patch | 42 +++++ patches/series | 13 + patches/statistic-private.patch | 31 ++++ salsa-ci.yml | 2 16 files changed, 1095 insertions(+), 1 deletion(-) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-07-15 20:29:23.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-09-06 22:31:52.000000000 +0000 @@ -1,3 +1,60 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u2) trixie-security; urgency=high + + * Fix CVE-2025-55004: + ImageMagick is vulnerable to heap-buffer overflow + read around the handling of images with separate alpha channels + when performing image magnification in ReadOneMNGIMage. + This can likely be used to leak subsequent memory contents + into the output image + (Closes: #1111101) + * Fix CVE-2025-55005: + when preparing to transform from Log to sRGB colorspaces, + the logmap construction fails to handle cases where the + reference-black or reference-white value is larger than 1024. + This leads to corrupting memory beyond the end of the + allocated logmap buffer. + (Closes: #1111102) + * Fix CVE-2025-55154: + the magnified size calculations in ReadOneMNGIMage + (in coders/png.c) are unsafe and can overflow, leading to + memory corruption. + (Closes: #1111103) + * Fix CVE-2025-55212: + Passing a geometry string containing only a colon (":") + to montage -geometry leads GetGeometry() to set width/height to 0. + Later, ThumbnailImage() divides by these zero dimensions, + triggering a crash (SIGFPE/abort), resulting in a denial of service. + (Closes: #1111587) + * Fix CVE-2025-55298: + A format string bug vulnerability exists in InterpretImageFilenam + function where user input is directly passed to FormatLocaleString + without proper sanitization. An attacker can overwrite arbitrary + memory regions, enabling a wide range of attacks from heap + overflow to remote code execution. + (Closes: #1111586) + * Fix CVE-2025-57803: + A 32-bit integer overflow in the BMP encoder’s scanline-stride + computation collapses bytes_per_line (stride) to a tiny + value while the per-row writer still emits 3 × width bytes + for 24-bpp images. The row base pointer advances using the + (overflowed) stride, so the first row immediately writes + past its slot and into adjacent heap memory with + attacker-controlled bytes. + (Closes: #1112469) + * Fix CVE-2025-57807: + A security problem was found in SeekBlob(), which permits + advancing the stream offset beyond the current end without + increasing capacity, and WriteBlob(), which then expands by + quantum + length (amortized) instead of offset + length, + and copies to data + offset. When offset ≫ extent, the + copy targets memory beyond the allocation, producing a + deterministic heap write on 64-bit builds. No 2⁶⁴ + arithmetic wrap, external delegates, or policy settings + are required. + (Closes: #1114520) + + -- Bastien Roucariès Sun, 07 Sep 2025 00:31:52 +0200 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u1) trixie; urgency=medium * Fix CVE-2025-53014: diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55004.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55004.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55004.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55004.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,62 @@ +From: Cristy +Date: Thu, 7 Aug 2025 19:14:00 -0400 +Subject: CVE-2025-55004 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw +origin: https://github.com/ImageMagick/ImageMagick/commit/55d97055e00a7bc7ae2776c99824002fbb4a72aa +--- + coders/png.c | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index ad756e8..9594623 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -4779,37 +4779,24 @@ static Image *ReadOneJNGImage(MngReadInfo *mng_info, + jng_image=ReadImage(alpha_image_info,exception); + + if (jng_image != (Image *) NULL) +- for (y=0; y < (ssize_t) image->rows; y++) + { +- s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception); +- q=GetAuthenticPixels(image,0,y,image->columns,1,exception); +- if ((s == (const Quantum *) NULL) || (q == (Quantum *) NULL)) +- break; ++ image->alpha_trait=BlendPixelTrait; ++ for (y=0; y < (ssize_t) image->rows; y++) ++ { ++ s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception); ++ q=GetAuthenticPixels(image,0,y,image->columns,1,exception); ++ if ((s == (const Quantum *) NULL) || (q == (Quantum *) NULL)) ++ break; + +- if (image->alpha_trait != UndefinedPixelTrait) + for (x=(ssize_t) image->columns; x != 0; x--) + { + SetPixelAlpha(image,GetPixelRed(jng_image,s),q); + q+=(ptrdiff_t) GetPixelChannels(image); + s+=(ptrdiff_t) GetPixelChannels(jng_image); + } +- +- else +- for (x=(ssize_t) image->columns; x != 0; x--) +- { +- Quantum +- alpha; +- +- alpha=GetPixelRed(jng_image,s); +- SetPixelAlpha(image,alpha,q); +- if (alpha != OpaqueAlpha) +- image->alpha_trait=BlendPixelTrait; +- q+=(ptrdiff_t) GetPixelChannels(image); +- s+=(ptrdiff_t) GetPixelChannels(jng_image); +- } +- +- if (SyncAuthenticPixels(image,exception) == MagickFalse) +- break; ++ if (SyncAuthenticPixels(image,exception) == MagickFalse) ++ break; ++ } + } + (void) RelinquishUniqueFileResource(alpha_image->filename); + alpha_image=DestroyImageList(alpha_image); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55005.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55005.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55005.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55005.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,30 @@ +From: Cristy +Date: Thu, 7 Aug 2025 22:05:10 -0400 +Subject: CVE-2025-55005 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp +--- + MagickCore/colorspace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/MagickCore/colorspace.c b/MagickCore/colorspace.c +index baeeb43..e18009f 100644 +--- a/MagickCore/colorspace.c ++++ b/MagickCore/colorspace.c +@@ -2397,10 +2397,16 @@ static MagickBooleanType TransformsRGBImage(Image *image, + value=GetImageProperty(image,"reference-black",exception); + if (value != (const char *) NULL) + reference_black=StringToDouble(value,(char **) NULL); ++ if (reference_black > 1024.0) ++ reference_black=1024.0; + reference_white=ReferenceWhite; + value=GetImageProperty(image,"reference-white",exception); + if (value != (const char *) NULL) + reference_white=StringToDouble(value,(char **) NULL); ++ if (reference_white > 1024.0) ++ reference_white=1024.0; ++ if (reference_black > reference_white) ++ reference_black=reference_white; + logmap=(Quantum *) AcquireQuantumMemory((size_t) MaxMap+1UL, + sizeof(*logmap)); + if (logmap == (Quantum *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55154.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55154.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55154.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55154.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,76 @@ +From: Cristy +Date: Sat, 9 Aug 2025 08:28:23 -0400 +Subject: CVE-2025-55154 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82 +origin: https://github.com/ImageMagick/ImageMagick/commit/db986e4782e9f6cc42a0e50151dc4fe43641b337 +--- + coders/png.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index 9594623..46a6720 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -6392,19 +6392,19 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + mng_info->magn_methy = 1; + if (mng_info->magn_methx == 1) + { +- magnified_width=mng_info->magn_ml; ++ magnified_width=(size_t) mng_info->magn_ml; + + if (image->columns > 1) + magnified_width += mng_info->magn_mr; + + if (image->columns > 2) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-2)*(mng_info->magn_mx)); + } + + else + { +- magnified_width=(png_uint_32) image->columns; ++ magnified_width=(size_t) image->columns; + + if (image->columns > 1) + magnified_width += mng_info->magn_ml-1; +@@ -6413,25 +6413,25 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + magnified_width += mng_info->magn_mr-1; + + if (image->columns > 3) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-3)*(mng_info->magn_mx-1)); + } + + if (mng_info->magn_methy == 1) + { +- magnified_height=mng_info->magn_mt; ++ magnified_height=(size_t) mng_info->magn_mt; + + if (image->rows > 1) + magnified_height += mng_info->magn_mb; + + if (image->rows > 2) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-2)*(mng_info->magn_my)); + } + + else + { +- magnified_height=(png_uint_32) image->rows; ++ magnified_height=(size_t) image->rows; + + if (image->rows > 1) + magnified_height += mng_info->magn_mt-1; +@@ -6440,7 +6440,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + magnified_height += mng_info->magn_mb-1; + + if (image->rows > 3) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-3)*(mng_info->magn_my-1)); + } + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_1.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,25 @@ +From: Dirk Lemstra +Date: Thu, 14 Aug 2025 21:21:59 +0200 +Subject: CVE-2025-55212 + +Added checks for invalid with or height to ThumbnailImage (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw) + +origin: https://github.com/ImageMagick/ImageMagick/commit/43d92bf855155e8e716ecbb50ed94c2ed41ff9f6.patch +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw +--- + MagickCore/resize.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/MagickCore/resize.c b/MagickCore/resize.c +index 381b3a6..4ee2b16 100644 +--- a/MagickCore/resize.c ++++ b/MagickCore/resize.c +@@ -4590,6 +4590,8 @@ MagickExport Image *ThumbnailImage(const Image *image,const size_t columns, + assert(exception->signature == MagickCoreSignature); + if (IsEventLogging() != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); ++ if ((columns == 0) || (rows == 0)) ++ ThrowImageException(ImageError,"NegativeOrZeroImageSize"); + thumbnail_image=CloneImage(image,0,0,MagickTrue,exception); + if (thumbnail_image == (Image *) NULL) + return(thumbnail_image); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55212_2.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,46 @@ +From: Cristy +Date: Sun, 17 Aug 2025 14:33:44 -0400 +Subject: CVE-2025-55212 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af + +[backport] +* include private header +--- + MagickCore/resize.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/MagickCore/resize.c b/MagickCore/resize.c +index 4ee2b16..1def5e6 100644 +--- a/MagickCore/resize.c ++++ b/MagickCore/resize.c +@@ -84,6 +84,7 @@ + #if defined(MAGICKCORE_LQR_DELEGATE) + #include + #endif ++#include "MagickCore/statistic-private.h" + + /* + Typedef declarations. +@@ -4590,8 +4591,6 @@ MagickExport Image *ThumbnailImage(const Image *image,const size_t columns, + assert(exception->signature == MagickCoreSignature); + if (IsEventLogging() != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); +- if ((columns == 0) || (rows == 0)) +- ThrowImageException(ImageError,"NegativeOrZeroImageSize"); + thumbnail_image=CloneImage(image,0,0,MagickTrue,exception); + if (thumbnail_image == (Image *) NULL) + return(thumbnail_image); +@@ -4604,8 +4603,9 @@ MagickExport Image *ThumbnailImage(const Image *image,const size_t columns, + x_factor, + y_factor; + +- x_factor=(ssize_t) image->columns/(ssize_t) columns; +- y_factor=(ssize_t) image->rows/(ssize_t) rows; ++ x_factor=(ssize_t) (image->columns*MagickSafeReciprocal((double) ++ columns)); ++ y_factor=(ssize_t) (image->rows*MagickSafeReciprocal((double) rows)); + if ((x_factor > 4) && (y_factor > 4)) + { + thumbnail_image=SampleImage(clone_image,4*columns,4*rows,exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-1.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,62 @@ +From: Cristy +Date: Sun, 17 Aug 2025 14:16:24 -0400 +Subject: [1/2] CVE-2025-55298 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645 +origin: https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895 + +(cherry picked from commit 1f93323df9d8c011c31bc4c6880390071f7fb895) +--- + MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 0e94f78..6434c49 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1648,6 +1648,31 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % o exception: return any errors or warnings in this structure. + % + */ ++ ++static inline MagickBooleanType PercentNInvalidOperation(char *filename) ++{ ++ MagickBooleanType ++ match = MagickFalse; ++ ++ size_t ++ length = strlen(filename); ++ ++ ssize_t ++ i; ++ ++ for (i=0; i < (ssize_t) length-1; i++) ++ { ++ if ((filename[i] == '%') && ++ ((filename[i+1] == 'n') || (filename[i+1] == 'N'))) ++ { ++ filename[i]='?'; ++ filename[i+1]='\?'; ++ match=MagickTrue; ++ } ++ } ++ return(match); ++} ++ + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + Image *image,const char *format,int value,char *filename, + ExceptionInfo *exception) +@@ -1667,6 +1692,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); ++ if (PercentNInvalidOperation(filename) != MagickFalse) ++ { ++ errno=EPERM; ++ (void) ThrowMagickException(exception,GetMagickModule(),OptionError, ++ "InvalidArgument","`%s'",filename); ++ return(0); ++ } + while ((cursor=strchr(cursor,'%')) != (const char *) NULL) + { + const char diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-2.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,268 @@ +From: Cristy +Date: Sun, 17 Aug 2025 19:10:59 -0400 +Subject: [2/2] CVE-2025-55298 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645 +origin: https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5 + +(cherry picked from commit 439b362b93c074eea6c3f834d84982b43ef057d5) +--- + MagickCore/image.c | 184 ++++++++++++++++++++++++++++------------------------- + 1 file changed, 97 insertions(+), 87 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 6434c49..34d20d7 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1634,7 +1634,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % + % A description of each parameter follows. + % +-% o image_info: the image info.. ++% o image_info: the image info. + % + % o image: the image. + % +@@ -1649,28 +1649,39 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % + */ + +-static inline MagickBooleanType PercentNInvalidOperation(char *filename) ++static inline MagickBooleanType IsValidFormatSpecifier(const char *start, ++ const char *end) + { +- MagickBooleanType +- match = MagickFalse; ++ char ++ specifier = end[-1]; + + size_t +- length = strlen(filename); ++ length = end-start; + +- ssize_t +- i; ++ /* ++ Is this a valid format specifier? ++ */ ++ if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o')) ++ return(MagickFalse); ++ if ((length == 1) && (*start == specifier)) ++ return(MagickTrue); ++ if (length >= 2) ++ { ++ size_t ++ i = 0; + +- for (i=0; i < (ssize_t) length-1; i++) +- { +- if ((filename[i] == '%') && +- ((filename[i+1] == 'n') || (filename[i+1] == 'N'))) +- { +- filename[i]='?'; +- filename[i+1]='\?'; +- match=MagickTrue; +- } +- } +- return(match); ++ if (*start == '0') ++ { ++ if ((length >= 3) && (start[1] == '0')) ++ return(MagickFalse); ++ i=1; ++ } ++ for ( ; i < (length-1); i++) ++ if (isdigit((int) ((unsigned char) start[i])) == 0) ++ return(MagickFalse); ++ return(MagickTrue); ++ } ++ return(MagickFalse); + } + + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, +@@ -1684,117 +1695,116 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + const char + *cursor = format; + +- /* +- Start with a copy of the format string. +- */ + assert(format != (const char *) NULL); + assert(filename != (char *) NULL); +- (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) +- return(strlen(filename)); +- if (PercentNInvalidOperation(filename) != MagickFalse) + { +- errno=EPERM; +- (void) ThrowMagickException(exception,GetMagickModule(),OptionError, +- "InvalidArgument","`%s'",filename); +- return(0); ++ (void) CopyMagickString(filename,format,MagickPathExtent); ++ return(strlen(filename)); + } +- while ((cursor=strchr(cursor,'%')) != (const char *) NULL) ++ while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1))) + { + const char +- *q = cursor; ++ *specifier_start, ++ *start; + +- ssize_t +- offset = (ssize_t) (cursor-format); +- +- cursor++; /* move past '%' */ ++ if (*cursor != '%') ++ { ++ *p++=(*cursor++); ++ continue; ++ } ++ start=cursor++; /* Skip '%' */ + if (*cursor == '%') + { +- /* +- Escaped %%. +- */ ++ *p++='%'; + cursor++; + continue; + } +- /* +- Skip padding digits like %03d. +- */ +- if (isdigit((int) ((unsigned char) *cursor)) != 0) +- (void) strtol(cursor,(char **) &cursor,10); +- switch (*cursor) +- { +- case 'd': +- case 'o': +- case 'x': ++ specifier_start=cursor; ++ while (isdigit((int) ((unsigned char) *cursor)) != 0) ++ cursor++; ++ if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x')) + { +- ssize_t +- count; ++ const char ++ *specifier_end = cursor+1; + +- count=FormatLocaleString(pattern,sizeof(pattern),q,value); +- if ((count <= 0) || (count >= MagickPathExtent) || +- ((offset+count) >= MagickPathExtent)) +- return(0); +- (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- +- offset)); +- cursor++; +- break; ++ if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse) ++ { ++ char ++ format_specifier[MagickPathExtent]; ++ ++ size_t ++ length = cursor-specifier_start; ++ ++ ssize_t ++ count; ++ ++ (void) snprintf(format_specifier,sizeof(format_specifier), ++ "%%%.*s%c",(int) length,specifier_start,*cursor); ++ count=FormatLocaleString(pattern,sizeof(pattern),format_specifier, ++ value); ++ if ((count <= 0) || ((p-filename+count) >= MagickPathExtent)) ++ return(0); ++ (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename)); ++ p+=strlen(pattern); ++ cursor++; ++ continue; ++ } ++ else ++ { ++ /* ++ Invalid specifier — treat as literal. ++ */ ++ cursor=start; ++ *p++=(*cursor++); ++ continue; ++ } + } +- case '[': ++ if (*cursor == '[') + { + const char + *end = strchr(cursor,']'), + *option = (const char *) NULL; + + size_t +- extent = (size_t) (end-cursor-1), +- option_length, +- tail_length; ++ extent, ++ option_length; + +- /* +- Handle %[key:value]; +- */ + if (end == (const char *) NULL) +- break; ++ continue; ++ extent=(size_t) (end-cursor-1); + if (extent >= sizeof(pattern)) +- break; ++ continue; + (void) CopyMagickString(pattern,cursor+1,extent+1); + pattern[extent]='\0'; +- if (image != (Image *) NULL) ++ if (image != NULL) + { + option=GetImageProperty(image,pattern,exception); + if (option == (const char *) NULL) + option=GetImageArtifact(image,pattern); + } +- if ((option == (const char *) NULL) && ++ if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) +- break; ++ continue; + option_length=strlen(option); +- tail_length=strlen(end+1); +- if ((offset+option_length+tail_length+1) > MagickPathExtent) ++ if ((p-filename+option_length) >= MagickPathExtent) + return(0); +- (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- +- offset)); +- (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) ( +- MagickPathExtent-offset-option_length-tail_length-1)); ++ (void) CopyMagickString(p,option,MagickPathExtent-(p-filename)); ++ p+=option_length; + cursor=end+1; +- break; ++ continue; + } +- default: +- break; +- } +- } +- for (p=filename; *p != '\0'; ) +- { + /* +- Replace "%%" with "%". ++ Invalid or unsupported specifier — treat as literal. + */ +- if ((*p == '%') && (*(p+1) == '%')) +- (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */ +- else +- p++; ++ cursor=start; ++ if ((p-filename+1) >= MagickPathExtent) ++ return(0); ++ *p++=(*cursor++); + } ++ *p='\0'; + return(strlen(filename)); + } + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre1.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,200 @@ +From: Cristy +Date: Sat, 19 Jul 2025 13:40:30 -0400 +Subject: CVE-2025-55298 prepare + +Crop filename pattern %03d no longer works in ImageMagick 7 + +bug: https://github.com/ImageMagick/ImageMagick/issues/8261 +origin: https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7 +--- + MagickCore/image.c | 134 ++++++++++++++++++++++------------------------------- + 1 file changed, 55 insertions(+), 79 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 80d1d80..bf008a8 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1653,34 +1653,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + ExceptionInfo *exception) + { + char +- *q; ++ *p = filename, ++ pattern[MagickPathExtent]; + + const char +- *p; +- +- int +- c; +- +- MagickBooleanType +- canonical; +- +- ssize_t +- offset; ++ *cursor = format; + +- canonical=MagickFalse; +- offset=0; ++ /* ++ Start with a copy of the format string. ++ */ + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); +- for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) ++ while ((cursor=strchr(cursor,'%')) != (const char *) NULL) + { +- q=(char *) p+1; +- if (*q == '%') ++ const char ++ *q = cursor; ++ ++ ssize_t ++ offset = (ssize_t) (cursor-format); ++ ++ cursor++; /* move past '%' */ ++ if (*cursor == '%') + { +- p++; ++ /* ++ Escaped %%. ++ */ ++ cursor++; + continue; + } +- switch (*q) ++ /* ++ Skip padding digits like %03d. ++ */ ++ if (*cursor == '0') ++ (void) strtol(cursor,(char **) &cursor,10); ++ switch (*cursor) + { + case 'd': + case 'o': +@@ -1689,93 +1696,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + ssize_t + count; + +- q++; +- c=(*q); +- *q='\0'; +- count=FormatLocaleString(filename+(p-format-offset),(size_t) +- (MagickPathExtent-(p-format-offset)),p,value); +- if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ count=FormatLocaleString(pattern,sizeof(pattern),q,value); ++ if ((count <= 0) || (count >= MagickPathExtent)) + return(0); +- offset+=(ssize_t) ((q-p)-count); +- *q=(char) c; +- (void) ConcatenateMagickString(filename,q,MagickPathExtent); +- canonical=MagickTrue; +- if (*(q-1) != '%') +- break; +- p++; ++ if ((offset+count) >= MagickPathExtent) ++ return(0); ++ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- ++ offset)); ++ cursor++; + break; + } + case '[': + { +- char +- pattern[MagickPathExtent]; +- + const char +- *option; +- +- char +- *r; ++ *end = strchr(cursor,']'), ++ *option = (const char *) NULL; + +- ssize_t +- i; +- +- ssize_t +- depth; ++ size_t ++ extent = (size_t) (end-cursor); + + /* +- Image option. ++ Handle %[key:value]; + */ +- if (strchr(p,']') == (char *) NULL) ++ if (end == (const char *) NULL) + break; +- depth=1; +- r=q+1; +- for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++) +- { +- if (*r == '[') +- depth++; +- if (*r == ']') +- depth--; +- if (depth <= 0) +- break; +- pattern[i]=(*r++); +- } +- pattern[i]='\0'; +- if (LocaleNCompare(pattern,"filename:",9) != 0) ++ if (extent >= sizeof(pattern)) + break; +- option=(const char *) NULL; ++ (void) CopyMagickString(pattern,cursor,extent); ++ pattern[extent]='\0'; + if (image != (Image *) NULL) + option=GetImageProperty(image,pattern,exception); +- if ((option == (const char *) NULL) && (image != (Image *) NULL)) ++ if ((option == (const char *) NULL) && (image != (Image *)NULL)) + option=GetImageArtifact(image,pattern); + if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) + break; +- q--; +- c=(*q); +- *q='\0'; +- (void) CopyMagickString(filename+(p-format-offset),option,(size_t) +- (MagickPathExtent-(p-format-offset))); +- offset+=(ssize_t) strlen(pattern)-(ssize_t) strlen(option)+3; +- *q=c; +- (void) ConcatenateMagickString(filename,r+1,MagickPathExtent); +- canonical=MagickTrue; +- if (*(q-1) != '%') +- break; +- p++; ++ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- ++ offset)); ++ cursor=end+1; + break; + } + default: + break; + } + } +- if (canonical == MagickFalse) +- (void) CopyMagickString(filename,format,MagickPathExtent); +- else +- for (q=filename; *q != '\0'; q++) +- if ((*q == '%') && (*(q+1) == '%')) +- (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename))); ++ for (p=filename; *p != '\0'; ) ++ { ++ /* ++ Replace "%%" with "%". ++ */ ++ if ((*p == '%') && (*(p+1) == '%')) ++ (void) memmove(p,p+1,strlen(p)); /* shift left */ ++ else ++ p++; ++ } + return(strlen(filename)); + } + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre2.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,24 @@ +From: Cristy +Date: Sat, 19 Jul 2025 14:26:45 -0400 +Subject: CVE-2025-55298 prepare + +don't forget the end filename segment + +origin: https://github.com/ImageMagick/ImageMagick/commit/d46d1e5be71c865f674f27ec1031a871c1cc48ab +--- + MagickCore/image.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index bf008a8..53bc2fb 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1735,6 +1735,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + break; + (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- + offset)); ++ (void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t) ++ (MagickPathExtent-offset-strlen(option)-strlen(end)-1)); + cursor=end+1; + break; + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre3.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre3.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre3.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-55298-pre3.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,101 @@ +From: Cristy +Date: Sat, 19 Jul 2025 16:07:21 -0400 +Subject: CVE-2025-55298 prepare + +more boundary checks + +(cherry picked from commit 6c7c8d5866b9c0ce6cc76a741e05b9482716101e) +origin: https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e +--- + MagickCore/image.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 53bc2fb..0e94f78 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1662,6 +1662,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + /* + Start with a copy of the format string. + */ ++ assert(format != (const char *) NULL); ++ assert(filename != (char *) NULL); + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); +@@ -1685,7 +1687,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + /* + Skip padding digits like %03d. + */ +- if (*cursor == '0') ++ if (isdigit((int) ((unsigned char) *cursor)) != 0) + (void) strtol(cursor,(char **) &cursor,10); + switch (*cursor) + { +@@ -1697,9 +1699,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + count; + + count=FormatLocaleString(pattern,sizeof(pattern),q,value); +- if ((count <= 0) || (count >= MagickPathExtent)) +- return(0); +- if ((offset+count) >= MagickPathExtent) ++ if ((count <= 0) || (count >= MagickPathExtent) || ++ ((offset+count) >= MagickPathExtent)) + return(0); + (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- + offset)); +@@ -1713,7 +1714,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + *option = (const char *) NULL; + + size_t +- extent = (size_t) (end-cursor); ++ extent = (size_t) (end-cursor-1), ++ option_length, ++ tail_length; + + /* + Handle %[key:value]; +@@ -1722,21 +1725,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + break; + if (extent >= sizeof(pattern)) + break; +- (void) CopyMagickString(pattern,cursor,extent); ++ (void) CopyMagickString(pattern,cursor+1,extent+1); + pattern[extent]='\0'; + if (image != (Image *) NULL) +- option=GetImageProperty(image,pattern,exception); +- if ((option == (const char *) NULL) && (image != (Image *)NULL)) +- option=GetImageArtifact(image,pattern); +- if ((option == (const char *) NULL) && ++ { ++ option=GetImageProperty(image,pattern,exception); ++ if (option == (const char *) NULL) ++ option=GetImageArtifact(image,pattern); ++ } ++ if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) + break; ++ option_length=strlen(option); ++ tail_length=strlen(end+1); ++ if ((offset+option_length+tail_length+1) > MagickPathExtent) ++ return(0); + (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- + offset)); +- (void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t) +- (MagickPathExtent-offset-strlen(option)-strlen(end)-1)); ++ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) ( ++ MagickPathExtent-offset-option_length-tail_length-1)); + cursor=end+1; + break; + } +@@ -1750,7 +1759,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + Replace "%%" with "%". + */ + if ((*p == '%') && (*(p+1) == '%')) +- (void) memmove(p,p+1,strlen(p)); /* shift left */ ++ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */ + else + p++; + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57803.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57803.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57803.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57803.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,57 @@ +From: Cristy +Date: Sat, 23 Aug 2025 09:18:40 -0400 +Subject: CVE-2025-57803 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm +origin: https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7 +--- + coders/bmp.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index d4f58b8..8f318e2 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -516,6 +516,11 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length) + % + */ + ++static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y) ++{ ++ return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse); ++} ++ + static Image *ReadEmbedImage(const ImageInfo *image_info,Image *image, + const char *magick,ExceptionInfo *exception) + { +@@ -609,6 +614,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + size_t + bit, + bytes_per_line, ++ extent, + length; + + ssize_t +@@ -1109,12 +1115,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (bmp_info.compression == BI_RLE4) + bmp_info.bits_per_pixel<<=1; +- bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); +- length=(size_t) bytes_per_line*image->rows; ++ extent=image->columns*bmp_info.bits_per_pixel; ++ bytes_per_line=4*((extent+31)/32); ++ if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ length=bytes_per_line*image->rows; + if ((MagickSizeType) (length/256) > blob_size) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); +- pixel_info=AcquireVirtualMemory(image->rows, +- MagickMax(bytes_per_line,image->columns+1UL)*sizeof(*pixels)); ++ extent=MagickMax(bytes_per_line,image->columns+1UL); ++ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) || ++ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse)) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57807.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57807.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57807.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-57807.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,42 @@ +From: Cristy +Date: Sun, 24 Aug 2025 12:32:18 -0400 +Subject: CVE-2025-57807 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-23hg-53q6-hqfg +origin: https://github.com/ImageMagick/ImageMagick/commit/077a417a19a5ea8c85559b602754a5b928eef23e +--- + MagickCore/blob.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/MagickCore/blob.c b/MagickCore/blob.c +index d00b0ac..5ee81a6 100644 +--- a/MagickCore/blob.c ++++ b/MagickCore/blob.c +@@ -1630,7 +1630,7 @@ static inline ssize_t WriteBlobStream(Image *image,const size_t length, + extent=(MagickSizeType) (blob_info->offset+(MagickOffsetType) length); + if (extent >= blob_info->extent) + { +- extent=blob_info->extent+blob_info->quantum+length; ++ extent+=blob_info->quantum+length; + blob_info->quantum<<=1; + if (SetBlobExtent(image,extent) == MagickFalse) + return(0); +@@ -5912,12 +5912,15 @@ MagickExport ssize_t WriteBlob(Image *image,const size_t length, + } + case BlobStream: + { +- if ((blob_info->offset+(MagickOffsetType) length) >= +- (MagickOffsetType) blob_info->extent) ++ MagickSizeType ++ extent; ++ ++ extent=(MagickSizeType) (blob_info->offset+(MagickOffsetType) length); ++ if (extent >= blob_info->extent) + { + if (blob_info->mapped != MagickFalse) + return(0); +- blob_info->extent+=length+blob_info->quantum; ++ blob_info->extent=extent+blob_info->quantum+length; + blob_info->quantum<<=1; + blob_info->data=(unsigned char *) ResizeQuantumMemory( + blob_info->data,blob_info->extent+1,sizeof(*blob_info->data)); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-07-15 20:29:23.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-09-06 22:31:52.000000000 +0000 @@ -39,3 +39,16 @@ CVE-2025-53015_2.patch CVE-2025-53101.patch CVE-2025-53019.patch +CVE-2025-55004.patch +CVE-2025-55005.patch +CVE-2025-55154.patch +statistic-private.patch +CVE-2025-55212_1.patch +CVE-2025-55212_2.patch +CVE-2025-55298-pre1.patch +CVE-2025-55298-pre2.patch +CVE-2025-55298-pre3.patch +CVE-2025-55298-1.patch +CVE-2025-55298-2.patch +CVE-2025-57803.patch +CVE-2025-57807.patch diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/statistic-private.patch imagemagick-7.1.1.43+dfsg1/debian/patches/statistic-private.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/statistic-private.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/statistic-private.patch 2025-09-06 22:31:52.000000000 +0000 @@ -0,0 +1,31 @@ +From: ImageMagick Packaging Team + +Date: Sun, 7 Sep 2025 16:52:31 +0200 +Subject: Private alias for easing backport + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e92b6cc3e96d5175974626317512dd9 +--- + MagickCore/statistic-private.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/MagickCore/statistic-private.h b/MagickCore/statistic-private.h +index f873a47..5e84b30 100644 +--- a/MagickCore/statistic-private.h ++++ b/MagickCore/statistic-private.h +@@ -29,6 +29,16 @@ static inline double MagickLog10(const double x) + return(log10(fabs(x))); + } + ++static inline double MagickSafeLog10(const double x) { ++ return MagickLog10(x); ++} ++ ++static inline double MagickSafeReciprocal(const double x) ++{ ++ if ((x > -MagickEpsilon) && (x < MagickEpsilon)) ++ return(1.0/MagickEpsilon); ++ return(1.0/x); ++} + #if defined(__cplusplus) || defined(c_plusplus) + } + #endif diff -Nru imagemagick-7.1.1.43+dfsg1/debian/salsa-ci.yml imagemagick-7.1.1.43+dfsg1/debian/salsa-ci.yml --- imagemagick-7.1.1.43+dfsg1/debian/salsa-ci.yml 2025-07-15 20:29:23.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/salsa-ci.yml 2025-09-06 22:31:52.000000000 +0000 @@ -4,5 +4,5 @@ - local: '/debian/rdeps-ci.yml' variables: - SALSA_CI_ENABLE_REVERSE_DEPENDENCY_BUILD: 1 + SALSA_CI_ENABLE_REVERSE_DEPENDENCY_BUILD: 0 SALSA_CI_DISABLE_APTLY: 0