Version in base suite: 7.1.1.43+dfsg1-1+deb13u4 Version in overlay suite: 7.1.1.43+dfsg1-1+deb13u5 Base version: imagemagick_7.1.1.43+dfsg1-1+deb13u5 Target version: imagemagick_7.1.1.43+dfsg1-1+deb13u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc changelog | 171 +++++++++ patches/CVE-2026-24481.patch | 25 + patches/CVE-2026-24484_1.patch | 29 + patches/CVE-2026-24484_2.patch | 30 + patches/CVE-2026-24485_1.patch | 105 +++++ patches/CVE-2026-24485_2.patch | 43 ++ patches/CVE-2026-25576.patch | 602 +++++++++++++++++++++++++++++++++ patches/CVE-2026-25637.patch | 42 ++ patches/CVE-2026-25638.patch | 24 + patches/CVE-2026-25794.patch | 54 ++ patches/CVE-2026-25795.patch | 27 + patches/CVE-2026-25796.patch | 41 ++ patches/CVE-2026-25797_1.patch | 339 ++++++++++++++++++ patches/CVE-2026-25797_2.patch | 138 +++++++ patches/CVE-2026-25798.patch | 103 +++++ patches/CVE-2026-25799.patch | 37 ++ patches/CVE-2026-25897.patch | 29 + patches/CVE-2026-25898_1.patch | 34 + patches/CVE-2026-25898_2.patch | 32 + patches/CVE-2026-25965.patch | 317 +++++++++++++++++ patches/CVE-2026-25966.patch | 51 ++ patches/CVE-2026-25967.patch | 33 + patches/CVE-2026-25968.patch | 34 + patches/CVE-2026-25969.patch | 58 +++ patches/CVE-2026-25970.patch | 134 +++++++ patches/CVE-2026-25970_pre1.patch | 52 ++ patches/CVE-2026-25971.patch | 305 ++++++++++++++++ patches/CVE-2026-25982.patch | 72 +++ patches/CVE-2026-25983_1.patch | 692 ++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-25983_2.patch | 65 +++ patches/CVE-2026-25985.patch | 62 +++ patches/CVE-2026-25986.patch | 37 ++ patches/CVE-2026-25987.patch | 39 ++ patches/CVE-2026-25988.patch | 45 ++ patches/CVE-2026-25989.patch | 82 ++++ patches/CVE-2026-25989_pre1.patch | 93 +++++ patches/CVE-2026-26066.patch | 44 ++ patches/CVE-2026-26283.patch | 28 + patches/CVE-2026-26284.patch | 26 + patches/CVE-2026-26983.patch | 36 + patches/CVE-2026-27798.patch | 28 + patches/CVE-2026-27799.patch | 36 + patches/series | 41 ++ 43 files changed, 4315 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5arfckqr/imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5arfckqr/imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc: no acceptable signature found diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-01-21 21:54:51.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-03-04 22:01:36.000000000 +0000 @@ -1,3 +1,174 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u6) trixie-security; urgency=high + + * Fix CVE-2026-24481: + A heap information disclosure vulnerability exists + in ImageMagick's PSD (Adobe Photoshop) format handler. + When processing a maliciously crafted PSD file containing + ZIP-compressed layer data that decompresses to less than + the expected size, uninitialized heap memory is leaked + into the output image. + * Fix CVE-2026-24484: + Magick fails to check for multi-layer nested mvg + conversions to svg, leading to DoS. + * Fix CVE-2026-24485: + When a PCD file does not contain a valid Sync marker, the + DecodeImage() function becomes trapped in an infinite loop while + searching for the Sync marker, causing the program to become + unresponsive and continuously consume CPU resources, ultimately + leading to system resource exhaustion and Denial of Service + (DoS) + * Fix CVE-2026-25576: + A heap buffer over-read vulnerability exists in multiple + raw image format handles. The vulnerability occurs when + processing images with -extract dimensions larger than + -size dimensions, causing out-of-bounds memory reads + from a heap-allocated buffer. + * Fix CVE-2026-25637: + A memory leak in the ASHLAR image writer allows an attacker to exhaust + process memory by providing a crafted image that results in small + objects that are allocated but never freed. + * Fix CVE-2026-25638: + A memory leak exists in `coders/msl.c`. In the `WriteMSLImage` + function of the `msl.c` file, resources are allocated. But the + function returns early without releasing these allocated resources. + * Fix CVE-2026-25794: + `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute + the pixel buffer size. Prior to version 7.1.2-15, when image + dimensions are large, the multiplication overflows 32-bit `int`, + causing an undersized heap allocation followed by an out-of-bounds + write. + * Fix CVE-2026-25795: + `ReadSFWImage()` (`coders/sfw.c`), when temporary file + creation fails, `read_info` is destroyed before its `filename` + member is accessed, causing a NULL pointer dereference and crash. + * Fix CVE-2026-25796: + In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image + object is not freed on three early-return paths, resulting in a + definite memory leak (~13.5KB+ per invocation) that can be exploited + for denial of service. + * Fix CVE-2026-25797: + The ps coders, responsible for writing PostScript files, fails to + sanitize the input before writing it into the PostScript header. An + attacker can provide a malicious file and inject arbitrary PostScript + code. When the resulting file is processed by a printer or a viewer + (like Ghostscript), the injected code is interpreted and executed. The + html encoder does not properly escape strings that are written to in + the html document. An attacker can provide a malicious file and + injection arbitrary html code. + * Fix CVE-2026-25798: + A NULL pointer dereference in ClonePixelCacheRepository allows a + remote attacker to crash any application linked against ImageMagick by + supplying a crafted image file, resulting in denial of service. + * Fix CVE-2026-25799: + A logic error in YUV sampling factor validation allows an invalid + sampling factor to bypass checks and trigger a division-by-zero during + image loading, resulting in a reliable denial-of-service. + * Fix CVE-2026-25897: + An Integer Overflow vulnerability exists in the sun decoder. On 32-bit + systems/builds, a carefully crafted image can lead to an out of bounds + heap write. + * Fix CVE-2026-25898: + The UIL and XPM image encoder do not validate the + pixel index value returned by `GetPixelIndex()` before using it as an + array subscript. In HDRI builds, `Quantum` is a floating-point type, + so pixel index values can be negative. An attacker can craft an image + with negative pixel index values to trigger a global buffer overflow + read during conversion, leading to information disclosure or a process + crash. + * Fix CVE-2026-25965: + ImageMagick’s path security policy is enforced on the raw filename + string before the filesystem resolves it. As a result, a policy rule + such as /etc/* can be bypassed by a path traversal. The OS resolves + the traversal and opens the sensitive file, but the policy matcher + only sees the unnormalized path and therefore allows the read. This + enables local file disclosure (LFI) even when policy-secure.xml is + applied. + * Fix CVE-2026-25966: + The shipped "secure" security policy includes a rule intended to + prevent reading/writing from standard streams. However, ImageMagick + also supports fd: pseudo-filenames (e.g., fd:0, fd:1). + This path form is not blocked by the + secure policy templates, and therefore bypasses the protection goal of + "no stdin/stdout." + * Fix CVE-2026-25967: + A stack-based buffer overflow exists in the ImageMagick FTXT image + reader. A crafted FTXT file can cause out-of-bounds writes on the + stack, leading to a crash. + * Fix CVE-2026-25968: + A stack buffer overflow occurs when processing the an attribute in + msl.c. A long value overflows a fixed-size stack buffer, leading to + memory corruption. + * Fix CVE-2026-25969: + A memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` + allocates a structure. However, when an exception is thrown, the + allocated memory is not properly released, resulting in a potential + memory leak. + * Fix CVE-2026-25970: + A signed integer overflow vulnerability in ImageMagick's SIXEL decoder + allows an attacker to trigger memory corruption and denial of service + when processing a maliciously crafted SIXEL image file. The + vulnerability occurs during buffer reallocation operations where + pointer arithmetic using signed 32-bit integers overflows. + * Fix CVE-2026-25971: + Magick fails to check for circular references between two MSLs, + leading to a stack overflow. + * Fix CVE-2026-25982: + A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` + module. When processing DICOM files with a specific configuration, the + decoder loop incorrectly reads bytes per iteration. This causes the + function to read past the end of the allocated buffer, potentially + leading to a Denial of Service or Information Disclosure. + * Fix CVE-2026-25983: + A crafted MSL script triggers a heap-use-after-free. The operation + element handler replaces and frees the image while the parser + continues reading from it, leading to a UAF in ReadBlobString during + further parsing. + * Fix CVE-2026-25985: + A crafted SVG file containing an malicious element causes ImageMagick + to attempt to allocate ~674 GB of memory, leading to an out-of-memory + abort. + * Fix CVE-2026-25986: + A heap buffer overflow write vulnerability exists in ReadYUVImage() + (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) + images. The pixel-pair loop writes one pixel beyond the allocated row + buffer. + * Fix CVE-2026-25987: + A heap buffer over-read vulnerability exists in the MAP image decoder + when processing crafted MAP files, potentially leading to crashes or + unintended memory disclosure during image decoding. + * Fix CVE-2026-25988: + Sometimes msl.c fails to update the stack index, so an image is stored + in the wrong slot and never freed on error, causing leaks. + * Fix CVE-2026-25989: + A crafted SVG file can cause a denial of service. An off-by-one + boundary check (`>` instead of `>=`) that allows bypass the guard and + reach an undefined `(size_t)` cast. + * Fix CVE-2026-26066: + A crafted profile contain invalid IPTC data may cause an infinite loop + when writing it with `IPTCTEXT`. + * Fix CVE-2026-26283: + A `continue` statement in the JPEG extent binary search loop in the + jpeg encoder causes an infinite loop when writing persistently fails. + * Fix CVE-2026-26284: + ImageMagick lacks proper boundary checking when processing + Huffman-coded data from PCD (Photo CD) files. The decoder contains an + function that has an incorrect initialization that could cause an out + of bounds read. + * Fix CVE-2026-26983: + The MSL interpreter crashes when processing a invalid `` element + that causes it to use an image after it has been freed. + * Fix CVE-2026-27798: + A heap buffer over-read vulnerability occurs when processing an image + with small dimension using the `-wavelet-denoise` operator. + * Fix CVE-2026-27799: + A heap buffer over-read vulnerability exists in the DJVU image format + handler. The vulnerability occurs due to integer truncation when + calculating the stride (row size) for pixel buffer allocation. The + stride calculation overflows a 32-bit signed integer, resulting in an + out-of-bounds memory reads. + + -- Bastien Roucariès Wed, 04 Mar 2026 23:01:36 +0100 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u5) trixie-security; urgency=high * Fix CVE-2026-22770 (Closes: #1126074) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24481.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24481.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24481.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24481.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,25 @@ +From: Dirk Lemstra +Date: Fri, 23 Jan 2026 13:19:06 +0100 +Subject: Initialize the pixels with empty values to prevent possible heap + information disclosure (GHSA-96pc-27rx-pr36) + +(cherry picked from commit 51c9d33f4770cdcfa1a029199375d570af801c97) + +origin: https://github.com/ImageMagick/ImageMagick/commit/51c9d33f4770cdcfa1a029199375d570af801c97 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36 +--- + coders/psd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/psd.c b/coders/psd.c +index 050abcd..7e2b3eb 100644 +--- a/coders/psd.c ++++ b/coders/psd.c +@@ -1331,6 +1331,7 @@ static MagickBooleanType ReadPSDChannelZip(Image *image, + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", + image->filename); + } ++ memset(pixels,0,count*sizeof(*pixels)); + if (ReadBlob(image,compact_size,compact_pixels) != (ssize_t) compact_size) + { + pixels=(unsigned char *) RelinquishMagickMemory(pixels); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_1.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,29 @@ +From: Cristy +Date: Fri, 23 Jan 2026 20:27:02 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv + +Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS + +(cherry picked from commit 0349df6d43d633bd61bb582d1e1e87d6332de32a) + +origin: https://github.com/ImageMagick/ImageMagick/commit/0349df6d43d633bd61bb582d1e1e87d6332de32a +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv +--- + coders/svg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/coders/svg.c b/coders/svg.c +index 09705fc..0eda064 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -4237,6 +4237,9 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image, + if (LocaleCompare("graphic-context",token) == 0) + { + n++; ++ if (n == MagickMaxRecursionDepth) ++ ThrowWriterException(DrawError, ++ "VectorGraphicsNestedTooDeeply"); + if (active) + { + AffineToTransform(image,&affine); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24484_2.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,30 @@ +From: Cristy +Date: Sat, 24 Jan 2026 09:06:59 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv + +Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS + +(cherry picked from commit f4525ad83d3876a9a07b74ef1fed4cb21a5332dd) + +origin: https://github.com/ImageMagick/ImageMagick/commit/f4525ad83d3876a9a07b74ef1fed4cb21a5332dd +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wg3g-gvx5-2pmv +--- + MagickCore/draw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 5f0ff88..3f87346 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -3509,6 +3509,10 @@ static MagickBooleanType RenderMVGContent(Image *image, + (void) GetNextToken(q,&q,extent,token); + (void) CloneString(&graphic_context[n]->id,token); + } ++ if (n > MagickMaxRecursionDepth) ++ (void) ThrowMagickException(exception,GetMagickModule(), ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'", ++ image->filename); + break; + } + if (LocaleCompare("mask",token) == 0) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_1.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,105 @@ +From: Cristy +Date: Thu, 22 Jan 2026 19:25:35 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 + +a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. + +(cherry picked from commit 332c1566acc2de77857032d3c2504ead6210ff50) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/332c1566acc2de77857032d3c2504ead6210ff50 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 +--- + coders/pcd.c | 37 +++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +diff --git a/coders/pcd.c b/coders/pcd.c +index ac2a91c..3995202 100644 +--- a/coders/pcd.c ++++ b/coders/pcd.c +@@ -116,19 +116,26 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + #define IsSync(sum) ((sum & 0xffffff00UL) == 0xfffffe00UL) + #define PCDGetBits(n) \ + { \ ++ ssize_t \ ++ byte_count = 0x800; \ ++ \ + sum=(sum << n) & 0xffffffff; \ + bits-=n; \ + while (bits <= 24) \ + { \ + if (p >= (buffer+0x800)) \ + { \ +- (void) ReadBlob(image,0x800,buffer); \ ++ byte_count=ReadBlob(image,0x800,buffer); \ ++ if (byte_count != 0x800) \ ++ break; \ + p=buffer; \ + } \ + sum|=(((unsigned int) (*p)) << (24-bits)); \ + bits+=8; \ + p++; \ + } \ ++ if (byte_count != 0x800) \ ++ break; \ + } + + typedef struct PCDTable +@@ -495,19 +502,11 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) + MemoryInfo + *pixel_info; + +- ssize_t +- i, +- y; +- + Quantum + *q; + +- unsigned char +- *c1, +- *c2, +- *yy; +- + size_t ++ extent, + height, + number_images, + number_pixels, +@@ -517,13 +516,18 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) + + ssize_t + count, +- x; ++ i, ++ x, ++ y; + + unsigned char ++ *c1, ++ *c2, + *chroma1, + *chroma2, + *header, +- *luma; ++ *luma, ++ *yy; + + unsigned int + overview; +@@ -612,8 +616,13 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Allocate luma and chroma memory. + */ +- pixel_info=AcquireVirtualMemory(image->columns+1UL,30*image->rows* +- sizeof(*luma)); ++ if (HeapOverflowSanityCheckGetSize(image->columns+1UL,image->rows,&extent) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ if (HeapOverflowSanityCheckGetSize(extent,10,&number_pixels) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ if (HeapOverflowSanityCheckGetSize(extent,30,&extent) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ pixel_info=AcquireVirtualMemory(extent,sizeof(*luma)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowPCDException(ResourceLimitError,"MemoryAllocationFailed"); + number_pixels=(image->columns+1UL)*10*image->rows*sizeof(*luma); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-24485_2.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,43 @@ +From: Cristy +Date: Thu, 22 Jan 2026 19:32:08 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 + +a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. + +origin: https://github.com/ImageMagick/ImageMagick/commit/55c344f4b514213642da41194bab57b4476fb9f5 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 +--- + coders/pcd.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/coders/pcd.c b/coders/pcd.c +index 3995202..e6a361c 100644 +--- a/coders/pcd.c ++++ b/coders/pcd.c +@@ -127,7 +127,11 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + { \ + byte_count=ReadBlob(image,0x800,buffer); \ + if (byte_count != 0x800) \ +- break; \ ++ { \ ++ (void) ThrowMagickException(exception,GetMagickModule(), \ ++ CorruptImageWarning,"CorruptImage","`%s'",image->filename); \ ++ break; \ ++ } \ + p=buffer; \ + } \ + sum|=(((unsigned int) (*p)) << (24-bits)); \ +@@ -135,7 +139,11 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + p++; \ + } \ + if (byte_count != 0x800) \ +- break; \ ++ { \ ++ (void) ThrowMagickException(exception,GetMagickModule(), \ ++ CorruptImageWarning,"CorruptImage","`%s'",image->filename); \ ++ break; \ ++ } \ + } + + typedef struct PCDTable diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25576.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25576.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25576.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25576.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,602 @@ +From: Dirk Lemstra +Date: Sun, 25 Jan 2026 19:21:20 +0100 +Subject: Fixed out of bounds read in multiple coders that read raw pixel data + (GHSA-jv4p-gjwq-9r2j) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/077b42643212d7da8c1a4f6b2cd0067ebca8ec0f +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jv4p-gjwq-9r2j +--- + coders/bgr.c | 22 ++++++++++++---------- + coders/cmyk.c | 26 ++++++++++++++------------ + coders/gray.c | 14 ++++++++------ + coders/raw.c | 4 +++- + coders/rgb.c | 26 +++++++++++++++----------- + coders/ycbcr.c | 22 ++++++++++++---------- + 6 files changed, 64 insertions(+), 50 deletions(-) + +diff --git a/coders/bgr.c b/coders/bgr.c +index b9f8143..d35aef5 100644 +--- a/coders/bgr.c ++++ b/coders/bgr.c +@@ -125,6 +125,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + length; + + ssize_t ++ columns, + count, + y; + +@@ -203,6 +204,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -264,7 +266,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); +@@ -347,7 +349,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -443,7 +445,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -496,7 +498,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -549,7 +551,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -611,7 +613,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -702,7 +704,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -774,7 +776,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -846,7 +848,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -920,7 +922,7 @@ static Image *ReadBGRImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +diff --git a/coders/cmyk.c b/coders/cmyk.c +index 89d4be4..e469ea3 100644 +--- a/coders/cmyk.c ++++ b/coders/cmyk.c +@@ -125,6 +125,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -202,6 +203,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -264,7 +266,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); +@@ -348,7 +350,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -443,7 +445,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -495,7 +497,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -547,7 +549,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -599,7 +601,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlack(image,GetPixelBlack(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -654,7 +656,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -744,7 +746,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -815,7 +817,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -887,7 +889,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -959,7 +961,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlack(image,GetPixelBlack(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -1033,7 +1035,7 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, + if ((p == (const Quantum *) NULL) || + (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +diff --git a/coders/gray.c b/coders/gray.c +index 3f1d1d2..c1b4ee0 100644 +--- a/coders/gray.c ++++ b/coders/gray.c +@@ -126,6 +126,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -203,6 +204,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -263,7 +265,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); +@@ -343,7 +345,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -423,7 +425,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGray(image,GetPixelGray(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -478,7 +480,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -568,7 +570,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -642,7 +644,7 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +diff --git a/coders/raw.c b/coders/raw.c +index 64ef612..e51b300 100644 +--- a/coders/raw.c ++++ b/coders/raw.c +@@ -119,6 +119,7 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) + length; + + ssize_t ++ columns, + count, + y; + +@@ -187,6 +188,7 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) + length=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -239,7 +241,7 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) + 1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); +diff --git a/coders/rgb.c b/coders/rgb.c +index 2b928e8..aa26c96 100644 +--- a/coders/rgb.c ++++ b/coders/rgb.c +@@ -126,6 +126,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + + ssize_t + count, ++ columns, + y; + + unsigned char +@@ -206,6 +207,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -266,7 +268,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); +@@ -350,7 +352,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -445,7 +447,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -497,7 +499,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -549,7 +551,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -603,7 +605,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -693,7 +695,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -764,7 +766,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -835,7 +837,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -908,7 +910,7 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -1025,6 +1027,7 @@ static Image *ReadRGB565Image(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -1097,6 +1100,7 @@ static Image *ReadRGB565Image(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -1150,7 +1154,7 @@ static Image *ReadRGB565Image(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + unsigned short + pixel; +diff --git a/coders/ycbcr.c b/coders/ycbcr.c +index 67be6f6..05f2151 100644 +--- a/coders/ycbcr.c ++++ b/coders/ycbcr.c +@@ -125,6 +125,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + length; + + ssize_t ++ columns, + count, + y; + +@@ -202,6 +203,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + scene=0; + status=MagickTrue; + stream=NULL; ++ columns=(ssize_t) MagickMin(image->columns,canvas_image->columns); + do + { + /* +@@ -264,7 +266,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); +@@ -346,7 +348,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + switch (quantum_type) + { +@@ -436,7 +438,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -488,7 +490,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -540,7 +542,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -594,7 +596,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -684,7 +686,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelRed(image,GetPixelRed(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -755,7 +757,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelGreen(image,GetPixelGreen(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -826,7 +828,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelBlue(image,GetPixelBlue(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); +@@ -900,7 +902,7 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, + image->columns,1,exception); + if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) + break; +- for (x=0; x < (ssize_t) image->columns; x++) ++ for (x=0; x < columns; x++) + { + SetPixelAlpha(image,GetPixelAlpha(canvas_image,p),q); + p+=(ptrdiff_t) GetPixelChannels(canvas_image); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25637.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25637.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25637.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25637.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dirk Lemstra +Date: Wed, 4 Feb 2026 17:19:53 +0100 +Subject: Fixed possible memory leak (GHSA-gm37-qx7w-p258) + +(cherry picked from commit 30ce0e8efbd72fd6b50ed3a10ae22f57c8901137) + +origin: https://github.com/ImageMagick/ImageMagick/commit/30ce0e8efbd72fd6b50ed3a10ae22f57c8901137 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258 +--- + coders/ashlar.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/coders/ashlar.c b/coders/ashlar.c +index 7b956d4..a44976f 100644 +--- a/coders/ashlar.c ++++ b/coders/ashlar.c +@@ -639,20 +639,21 @@ static Image *ASHLARImage(ImageInfo *image_info,Image *image, + *label, + offset[MagickPathExtent]; + +- DrawInfo +- *draw_info = CloneDrawInfo(image_info,(DrawInfo *) NULL); +- + label=InterpretImageProperties((ImageInfo *) image_info,tile_image, + value,exception); + if (label != (const char *) NULL) + { ++ DrawInfo ++ *draw_info = CloneDrawInfo(image_info,(DrawInfo *) NULL); ++ + (void) CloneString(&draw_info->text,label); + draw_info->pointsize=1.8*geometry.y; + (void) FormatLocaleString(offset,MagickPathExtent,"%+g%+g",(double) + tiles[i].x+geometry.x,(double) tiles[i].height+tiles[i].y+ + geometry.y/2.0); + (void) CloneString(&draw_info->geometry,offset); +- (void) AnnotateImage(ashlar_image,draw_info,exception); ++ status=AnnotateImage(ashlar_image,draw_info,exception); ++ draw_info=DestroyDrawInfo(draw_info); + } + } + if (((ssize_t) tiles[i].width+tiles[i].x) > (ssize_t) extent.width) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25638.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25638.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25638.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25638.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,24 @@ +From: Dirk Lemstra +Date: Tue, 3 Feb 2026 22:06:12 +0100 +Subject: Fixed memory leak when writing MSL files (GHSA-gxcx-qjqp-8vjw) + +(cherry picked from commit 1e88fca11c7b8517100d518bc99bd8c474f02f88) + +origin: https://github.com/ImageMagick/ImageMagick/commit/1e88fca11c7b8517100d518bc99bd8c474f02f88 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gxcx-qjqp-8vjw +--- + coders/msl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/msl.c b/coders/msl.c +index 43c4b73..9facbf2 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -7887,6 +7887,7 @@ static MagickBooleanType WriteMSLImage(const ImageInfo *image_info,Image *image, + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); + msl_image=CloneImage(image,0,0,MagickTrue,exception); + status=ProcessMSLScript(image_info,&msl_image,exception); ++ msl_image=DestroyImageList(msl_image); + return(status); + } + #endif diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25794.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25794.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25794.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25794.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,54 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 21:03:53 +0100 +Subject: Prevent out of bounds heap write in uhdr encoder + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h) + +(cherry picked from commit ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed) + +origin: https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h +--- + coders/uhdr.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/coders/uhdr.c b/coders/uhdr.c +index 0a25676..a527465 100644 +--- a/coders/uhdr.c ++++ b/coders/uhdr.c +@@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + { + /* Classify image as hdr/sdr intent basing on depth */ + int +- bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; +- +- int +- aligned_width = image->columns + (image->columns & 1); +- +- int +- aligned_height = image->rows + (image->rows & 1); ++ bpp; + + ssize_t +- picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; ++ aligned_height, ++ aligned_width; ++ ++ size_t ++ picSize; + + void + *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL; + ++ if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) || ++ ((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0))) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),ImageError, ++ "WidthOrHeightExceedsLimit","%s",image->filename); ++ goto next_image; ++ } ++ bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; ++ aligned_width = image->columns + (image->columns & 1); ++ picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; + if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace)) + { + if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25795.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25795.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25795.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25795.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,27 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 21:16:10 +0100 +Subject: Fixed NULL pointer dereference in ReadSFWImage (GHSA-p33r-fqw2-rqmm) + +(cherry picked from commit 0c7d0b9671ae2616fca106dcada45536eb4df5dc) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm +origin: https://github.com/ImageMagick/ImageMagick/commit/0c7d0b9671ae2616fca106dcada45536eb4df5dc +--- + coders/sfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/sfw.c b/coders/sfw.c +index 22ebcd9..46c67b4 100644 +--- a/coders/sfw.c ++++ b/coders/sfw.c +@@ -317,9 +317,9 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((unique_file == -1) || (file == (FILE *) NULL)) + { + buffer=(unsigned char *) RelinquishMagickMemory(buffer); +- read_info=DestroyImageInfo(read_info); + (void) CopyMagickString(image->filename,read_info->filename, + MagickPathExtent); ++ read_info=DestroyImageInfo(read_info); + ThrowFileException(exception,FileOpenError,"UnableToCreateTemporaryFile", + image->filename); + image=DestroyImageList(image); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25796.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25796.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25796.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25796.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,41 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 21:10:47 +0100 +Subject: Prevent memory leak in early exits (GHSA-g2pr-qxjg-7r2w) + +(cherry picked from commit 93ad259ce4f6d641eea0bee73f374af90f35efc3) + +origin: https://github.com/ImageMagick/ImageMagick/commit/93ad259ce4f6d641eea0bee73f374af90f35efc3 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w +--- + coders/stegano.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/coders/stegano.c b/coders/stegano.c +index 111640a..5f91bd9 100644 +--- a/coders/stegano.c ++++ b/coders/stegano.c +@@ -150,15 +150,22 @@ static Image *ReadSTEGANOImage(const ImageInfo *image_info, + return(DestroyImage(image)); + watermark->depth=MAGICKCORE_QUANTUM_DEPTH; + if (AcquireImageColormap(image,MaxColormapSize,exception) == MagickFalse) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ { ++ watermark=DestroyImage(watermark); ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ } + if (image_info->ping != MagickFalse) + { ++ watermark=DestroyImage(watermark); + (void) CloseBlob(image); + return(GetFirstImageInList(image)); + } + status=SetImageExtent(image,image->columns,image->rows,exception); + if (status == MagickFalse) +- return(DestroyImageList(image)); ++ { ++ watermark=DestroyImage(watermark); ++ return(DestroyImageList(image)); ++ } + for (y=0; y < (ssize_t) image->rows; y++) + { + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_1.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,339 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 21:28:50 +0100 +Subject: Prevent code injection via PostScript header + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v) + +(cherry picked from commit 26088a83d71e9daa203d54a56fe3c31f3f85463d) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/26088a83d71e9daa203d54a56fe3c31f3f85463d +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v +--- + coders/ps.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + coders/ps2.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + coders/ps3.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 243 insertions(+), 3 deletions(-) + +diff --git a/coders/ps.c b/coders/ps.c +index 8af2af7..3999cf9 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -1086,6 +1086,82 @@ static inline unsigned char *PopHexPixel(const char hex_digits[][3], + return(pixels); + } + ++static inline void FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < (ssize_t) extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) CopyMagickString(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, + ExceptionInfo *exception) + { +@@ -1554,6 +1630,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, + text_size=(size_t) (MultilineCensus(value)*pointsize+12); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Output Postscript header. + */ +@@ -1564,8 +1643,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, + MagickPathExtent); + (void) WriteBlobString(image,buffer); + (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: (%s)\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,sizeof(date),date); +diff --git a/coders/ps2.c b/coders/ps2.c +index f840782..10670a7 100644 +--- a/coders/ps2.c ++++ b/coders/ps2.c +@@ -225,6 +225,82 @@ static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, + return(status); + } + ++static inline void FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < (ssize_t) extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) CopyMagickString(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, + ExceptionInfo *exception) + { +@@ -547,6 +623,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, + text_size=(size_t) (MultilineCensus(value)*pointsize+12); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Output Postscript header. + */ +@@ -557,8 +636,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, + MagickPathExtent); + (void) WriteBlobString(image,buffer); + (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: (%s)\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,sizeof(date),date); +diff --git a/coders/ps3.c b/coders/ps3.c +index d3e870c..b135b46 100644 +--- a/coders/ps3.c ++++ b/coders/ps3.c +@@ -203,6 +203,82 @@ ModuleExport void UnregisterPS3Image(void) + % + */ + ++static inline void FilenameToTitle(const char *filename,char *title, ++ const size_t extent) ++{ ++ int ++ depth = 0; ++ ++ ssize_t ++ i, ++ offset = 0; ++ ++ if (extent == 0) ++ return; ++ for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++) ++ { ++ unsigned char ++ c = filename[i]; ++ ++ /* ++ Only allow printable ASCII. ++ */ ++ if ((c < 32) || (c > 126)) ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Percent signs break DSC parsing. ++ */ ++ if (c == '%') ++ { ++ title[offset++]='_'; ++ continue; ++ } ++ /* ++ Parentheses must remain balanced. ++ */ ++ if (c == '(') ++ { ++ depth++; ++ title[offset++] = '('; ++ continue; ++ } ++ if (c == ')') ++ { ++ if (depth <= 0) ++ title[offset++]='_'; ++ else ++ { ++ depth--; ++ title[offset++]=')'; ++ } ++ continue; ++ } ++ /* ++ Everything else is allowed. ++ */ ++ title[offset++]=c; ++ } ++ /* ++ If parentheses remain unbalanced, close them. ++ */ ++ while ((depth > 0) && ((offset+1) < (ssize_t) extent)) { ++ title[offset++]=')'; ++ depth--; ++ } ++ title[offset]='\0'; ++ /* ++ Ensure non-empty result. ++ */ ++ if (offset == 0) ++ { ++ (void) CopyMagickString(title,"Untitled",extent-1); ++ title[extent-1]='\0'; ++ } ++} ++ + static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, + Image *image,Image *inject_image,ExceptionInfo *exception) + { +@@ -1007,6 +1083,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image, + is_gray=IdentifyImageCoderGray(image,exception); + if (page == 1) + { ++ char ++ title[MagickPathExtent]; ++ + /* + Postscript header on the first page. + */ +@@ -1019,8 +1098,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image, + (void) FormatLocaleString(buffer,MagickPathExtent, + "%%%%Creator: ImageMagick %s\n",MagickLibVersionText); + (void) WriteBlobString(image,buffer); ++ FilenameToTitle(image->filename,title,MagickPathExtent); + (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: %s\n", +- image->filename); ++ title); + (void) WriteBlobString(image,buffer); + timer=GetMagickTime(); + (void) FormatMagickTime(timer,sizeof(date),date); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25797_2.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,138 @@ +From: Dirk Lemstra +Date: Fri, 20 Feb 2026 14:08:15 +0100 +Subject: Properly escape the strings that are written as raw html + (GHSA-rw6c-xp26-225v) + +(cherry picked from commit 81129f79ad622ff4c1d729828a34ab0f49ec89f6) + +origin: https://github.com/ImageMagick/ImageMagick/commit/81129f79ad622ff4c1d729828a34ab0f49ec89f6 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v +--- + coders/html.c | 65 +++++++++++++++++++++++++++++++++++------------------------ + 1 file changed, 39 insertions(+), 26 deletions(-) + +diff --git a/coders/html.c b/coders/html.c +index 739cb12..1e171cb 100644 +--- a/coders/html.c ++++ b/coders/html.c +@@ -204,6 +204,21 @@ ModuleExport void UnregisterHTMLImage(void) + % + */ + ++static void WriteHtmlEncodedString(Image *image,const char* value) ++{ ++ char ++ *encoded_value; ++ ++ encoded_value=AcquireString(value); ++ (void) SubstituteString(&encoded_value,"<","<"); ++ (void) SubstituteString(&encoded_value,">",">"); ++ (void) SubstituteString(&encoded_value,"&","&"); ++ (void) SubstituteString(&encoded_value,"\"","""); ++ (void) SubstituteString(&encoded_value,"'","'"); ++ WriteBlobString(image,encoded_value); ++ encoded_value=DestroyString(encoded_value); ++} ++ + static ssize_t WriteURLComponent(Image *image,const int c) + { + char +@@ -318,29 +333,29 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + "\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n"); + (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); ++ (void) WriteBlobString(image,""); + value=GetImageProperty(image,"label",exception); + if (value != (const char *) NULL) +- (void) FormatLocaleString(buffer,MagickPathExtent,"<title>%s\n", +- value); ++ WriteHtmlEncodedString(image,value); + else + { + GetPathComponent(filename,BasePath,basename); +- (void) FormatLocaleString(buffer,MagickPathExtent, +- "%s\n",basename); ++ WriteHtmlEncodedString(image,basename); + } +- (void) WriteBlobString(image,buffer); ++ (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); +- (void) FormatLocaleString(buffer,MagickPathExtent,"

%s

\n", +- image->filename); +- (void) WriteBlobString(image,buffer); ++ (void) WriteBlobString(image,"

"); ++ WriteHtmlEncodedString(image,image->filename); ++ (void) WriteBlobString(image,"

"); + (void) WriteBlobString(image,"
\n"); + (void) CopyMagickString(filename,image->filename,MagickPathExtent); + AppendImageFormat("png",filename); +- (void) FormatLocaleString(buffer,MagickPathExtent,"\"Image\n",mapname, +- filename); +- (void) WriteBlobString(image,buffer); ++ (void) WriteBlobString(image,"\"Image\n"); + /* + Determine the size and location of each image tile. + */ +@@ -350,18 +365,18 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + /* + Write an image map. + */ +- (void) FormatLocaleString(buffer,MagickPathExtent, +- "\n",mapname,mapname); +- (void) WriteBlobString(image,buffer); +- (void) FormatLocaleString(buffer,MagickPathExtent," \ndirectory == (char *) NULL) + { ++ WriteHtmlEncodedString(image,image->filename); + (void) FormatLocaleString(buffer,MagickPathExtent, +- "%s\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n", +- image->filename,(double) geometry.width-1,(double) geometry.height- +- 1); ++ "\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n", ++ (double) geometry.width-1,(double) geometry.height-1); + (void) WriteBlobString(image,buffer); + } + else +@@ -378,9 +393,9 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + (void) WriteBlobString(image,buffer); + if (*(p+1) != '\0') + { +- (void) FormatLocaleString(buffer,MagickPathExtent, +- " = (ssize_t) image->columns) +@@ -390,7 +405,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + } + } + (void) WriteBlobString(image,"\n"); +- (void) CopyMagickString(filename,image->filename,MagickPathExtent); + (void) WriteBlobString(image,"
\n"); + (void) WriteBlobString(image,"\n"); + (void) WriteBlobString(image,"\n"); +@@ -398,7 +412,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, + /* + Write the image as PNG. + */ +- (void) CopyMagickString(image->filename,filename,MagickPathExtent); + AppendImageFormat("png",image->filename); + next=GetNextImageInList(image); + image->next=NewImageList(); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25798.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25798.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25798.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25798.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,103 @@ +From: Cristy +Date: Sun, 1 Feb 2026 14:56:14 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 + +a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. + +(cherry picked from commit 16dd3158ce197c6f65e7798a7a5cc4538bb0303e) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 +origin: https://github.com/ImageMagick/ImageMagick/commit/16dd3158ce197c6f65e7798a7a5cc4538bb0303e +--- + MagickCore/cache.c | 37 +++++++++++++++++++++++++++++++++---- + coders/sixel.c | 4 ++-- + 2 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/MagickCore/cache.c b/MagickCore/cache.c +index 8df6945..5a36189 100644 +--- a/MagickCore/cache.c ++++ b/MagickCore/cache.c +@@ -3500,6 +3500,25 @@ static MagickBooleanType MaskPixelCacheNexus(Image *image,NexusInfo *nexus_info, + % + */ + ++static inline MagickBooleanType CacheOverflowSanityCheckGetSize( ++ const MagickSizeType count,const size_t quantum,MagickSizeType *const extent) ++{ ++ MagickSizeType ++ length; ++ ++ if ((count == 0) || (quantum == 0)) ++ return(MagickTrue); ++ length=count*quantum; ++ if (quantum != (length/count)) ++ { ++ errno=ENOMEM; ++ return(MagickTrue); ++ } ++ if (extent != NULL) ++ *extent=length; ++ return(MagickFalse); ++} ++ + static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info, + const MapMode mode) + { +@@ -3650,7 +3669,7 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, + status; + + MagickSizeType +- length, ++ length = 0, + number_pixels; + + size_t +@@ -3723,12 +3742,22 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, + packet_size=MagickMax(cache_info->number_channels,1)*sizeof(Quantum); + if (image->metacontent_extent != 0) + packet_size+=cache_info->metacontent_extent; +- length=number_pixels*packet_size; ++ if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse) ++ { ++ cache_info->storage_class=UndefinedClass; ++ cache_info->length=0; ++ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", ++ image->filename); ++ } + columns=(size_t) (length/cache_info->rows/packet_size); + if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) || + ((ssize_t) cache_info->rows < 0)) +- ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", +- image->filename); ++ { ++ cache_info->storage_class=UndefinedClass; ++ cache_info->length=0; ++ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", ++ image->filename); ++ } + cache_info->length=length; + if (image->ping != MagickFalse) + { +diff --git a/coders/sixel.c b/coders/sixel.c +index 08ca474..11d857d 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -544,7 +544,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + if (max_x < position_x) + max_x = position_x; + if (max_y < (position_y + i)) +- max_y = position_y + i; ++ max_y = (int) (position_y + i); + } + sixel_vertical_mask <<= 1; + } +@@ -577,7 +577,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + if (max_x < (position_x+repeat_count-1)) + max_x = position_x+repeat_count-1; + if (max_y < (position_y+i+n-1)) +- max_y = position_y+i+n-1; ++ max_y = (int) (position_y+i+n-1); + i+=(n-1); + sixel_vertical_mask <<= (n-1); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25799.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25799.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25799.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25799.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Sat, 31 Jan 2026 12:56:17 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6 + +a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. + +(cherry picked from commit 412f3c8bc1d3b6890aad72376cd992c9b5177037) + +origin: https://github.com/ImageMagick/ImageMagick/commit/412f3c8bc1d3b6890aad72376cd992c9b5177037 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6 +--- + coders/yuv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/yuv.c b/coders/yuv.c +index a1d5bf1..1817c43 100644 +--- a/coders/yuv.c ++++ b/coders/yuv.c +@@ -165,7 +165,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) + vertical_factor=horizontal_factor; + if ((flags & SigmaValue) != 0) + vertical_factor=(ssize_t) geometry_info.sigma; +- if ((horizontal_factor != 1) && (horizontal_factor != 2) && ++ if ((horizontal_factor != 1) && (horizontal_factor != 2) || + (vertical_factor != 1) && (vertical_factor != 2)) + ThrowReaderException(CorruptImageError,"UnexpectedSamplingFactor"); + } +@@ -670,7 +670,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image, + vertical_factor=horizontal_factor; + if ((flags & SigmaValue) != 0) + vertical_factor=(ssize_t) geometry_info.sigma; +- if ((horizontal_factor != 1) && (horizontal_factor != 2) && ++ if ((horizontal_factor != 1) && (horizontal_factor != 2) || + (vertical_factor != 1) && (vertical_factor != 2)) + ThrowWriterException(CorruptImageError,"UnexpectedSamplingFactor"); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25897.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25897.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25897.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25897.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,29 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 22:21:19 +0100 +Subject: Added extra check to prevent out of bounds heap write on 32-bit + systems (GHSA-6j5f-24fw-pqp4) + +(cherry picked from commit 23fde73188ea32c15b607571775d4f92bdb75e60) + +origin: https://github.com/ImageMagick/ImageMagick/commit/23fde73188ea32c15b607571775d4f92bdb75e60 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6j5f-24fw-pqp4 +--- + coders/sun.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/coders/sun.c b/coders/sun.c +index f1452c5..76d7607 100644 +--- a/coders/sun.c ++++ b/coders/sun.c +@@ -470,6 +470,11 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } ++ if (image->rows > (MAGICK_SIZE_MAX - pixels_length)) ++ { ++ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); ++ ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); ++ } + sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length+image->rows, + sizeof(*sun_pixels)); + if (sun_pixels == (unsigned char *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_1.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,34 @@ +From: Dirk Lemstra +Date: Fri, 6 Feb 2026 20:55:43 +0100 +Subject: Fixed out of bound read with negative pixel index + (GHSA-vpxv-r9pg-7gpr) + +(cherry picked from commit c9c87dbaba56bf82aebd3392e11f0ffd93709b12) + +origin: https://github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr +--- + coders/uil.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/coders/uil.c b/coders/uil.c +index 74c45c7..ffcab49 100644 +--- a/coders/uil.c ++++ b/coders/uil.c +@@ -352,11 +352,14 @@ static MagickBooleanType WriteUILImage(const ImageInfo *image_info,Image *image, + for (x=0; x < (ssize_t) image->columns; x++) + { + k=((ssize_t) GetPixelIndex(image,p) % MaxCixels); ++ if (k < 0) ++ k=0; + symbol[0]=Cixel[k]; + for (j=1; j < (int) characters_per_pixel; j++) + { +- k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % +- MaxCixels; ++ k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels; ++ if (k < 0) ++ k=0; + symbol[j]=Cixel[k]; + } + symbol[j]='\0'; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25898_2.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,32 @@ +From: Dirk Lemstra +Date: Sun, 8 Feb 2026 14:15:46 +0100 +Subject: Fixed out of bound read with negative pixel index + (GHSA-vpxv-r9pg-7gpr) + +(cherry picked from commit 21525d8f27b86e8063fe359616086fd6b71eb05b) + +origin: https://github.com/ImageMagick/ImageMagick/commit/21525d8f27b86e8063fe359616086fd6b71eb05b +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr +--- + coders/xpm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/xpm.c b/coders/xpm.c +index 1dda89f..4a77b48 100644 +--- a/coders/xpm.c ++++ b/coders/xpm.c +@@ -1131,10 +1131,14 @@ static MagickBooleanType WriteXPMImage(const ImageInfo *image_info,Image *image, + for (x=0; x < (ssize_t) image->columns; x++) + { + k=((ssize_t) GetPixelIndex(image,p) % MaxCixels); ++ if (k < 0) ++ k=0; + symbol[0]=Cixel[k]; + for (j=1; j < (ssize_t) characters_per_pixel; j++) + { + k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels; ++ if (k < 0) ++ k=0; + symbol[j]=Cixel[k]; + } + symbol[j]='\0'; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25965.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25965.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25965.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25965.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,317 @@ +From: Dirk Lemstra +Date: Tue, 3 Feb 2026 21:09:59 +0100 +Subject: Prevent path traversal of paths that are blocked in the security + policy (GHSA-8jvj-p28h-9gm7) + +(cherry picked from commit 4a9dc1075dcad3ab0579e1b37dbe854c882699a5) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/4a9dc1075dcad3ab0579e1b37dbe854c882699a5 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7 +--- + MagickCore/module.c | 11 +++-- + MagickCore/policy.c | 39 ++++++++++----- + MagickCore/token.c | 2 + + MagickCore/utility-private.h | 115 +++++++++++++++++++++++++++++++++++++++++++ + MagickCore/utility.c | 28 +++++++---- + 5 files changed, 169 insertions(+), 26 deletions(-) + +diff --git a/MagickCore/module.c b/MagickCore/module.c +index e36214d..5332a71 100644 +--- a/MagickCore/module.c ++++ b/MagickCore/module.c +@@ -584,15 +584,16 @@ static MagickBooleanType GetMagickModulePath(const char *filename, + (void) ConcatenateMagickString(path,DirectorySeparator, + MagickPathExtent); + (void) ConcatenateMagickString(path,filename,MagickPathExtent); +-#if defined(MAGICKCORE_HAVE_REALPATH) + { + char +- resolved_path[PATH_MAX+1]; ++ *real_path = realpath_utf8(path); + +- if (realpath(path,resolved_path) != (char *) NULL) +- (void) CopyMagickString(path,resolved_path,MagickPathExtent); ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,MagickPathExtent); ++ real_path=DestroyString(real_path); ++ } + } +-#endif + if (IsPathAccessible(path) != MagickFalse) + { + module_path=DestroyString(module_path); +diff --git a/MagickCore/policy.c b/MagickCore/policy.c +index 8cfcee0..0e036c0 100644 +--- a/MagickCore/policy.c ++++ b/MagickCore/policy.c +@@ -640,6 +640,9 @@ static MagickBooleanType IsPolicyCacheInstantiated(ExceptionInfo *exception) + MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, + const PolicyRights rights,const char *pattern) + { ++ char ++ *real_pattern = (char *) NULL; ++ + const PolicyInfo + *policy_info; + +@@ -647,7 +650,8 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, + *exception; + + MagickBooleanType +- authorized; ++ authorized, ++ match; + + ElementInfo + *p; +@@ -671,22 +675,33 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, + *policy; + + policy=(const PolicyInfo *) p->value; +- if ((policy->domain == domain) && +- (GlobExpression(pattern,policy->pattern,MagickFalse) != MagickFalse)) ++ if (policy->domain == domain) + { +- if ((rights & ReadPolicyRights) != 0) +- authorized=(policy->rights & ReadPolicyRights) != 0 ? MagickTrue : +- MagickFalse; +- if ((rights & WritePolicyRights) != 0) +- authorized=(policy->rights & WritePolicyRights) != 0 ? MagickTrue : +- MagickFalse; +- if ((rights & ExecutePolicyRights) != 0) +- authorized=(policy->rights & ExecutePolicyRights) != 0 ? MagickTrue : +- MagickFalse; ++ if ((policy->domain == PathPolicyDomain) && ++ (real_pattern == (const char *) NULL)) ++ real_pattern=realpath_utf8(pattern); ++ if (real_pattern != (char*) NULL) ++ match=GlobExpression(real_pattern,policy->pattern,MagickFalse); ++ else ++ match=GlobExpression(pattern,policy->pattern,MagickFalse); ++ if (match != MagickFalse) ++ { ++ if ((rights & ReadPolicyRights) != 0) ++ authorized=(policy->rights & ReadPolicyRights) != 0 ? MagickTrue : ++ MagickFalse; ++ if ((rights & WritePolicyRights) != 0) ++ authorized=(policy->rights & WritePolicyRights) != 0 ? ++ MagickTrue : MagickFalse; ++ if ((rights & ExecutePolicyRights) != 0) ++ authorized=(policy->rights & ExecutePolicyRights) != 0 ? ++ MagickTrue : MagickFalse; ++ } + } + p=p->next; + } + UnlockSemaphoreInfo(policy_semaphore); ++ if (real_pattern != (char *) NULL) ++ real_pattern=DestroyString(real_pattern); + return(authorized); + } + +diff --git a/MagickCore/token.c b/MagickCore/token.c +index 9763069..70085b4 100644 +--- a/MagickCore/token.c ++++ b/MagickCore/token.c +@@ -518,6 +518,7 @@ MagickExport MagickBooleanType GlobExpression( + target=DestroyString(target); + break; + } ++#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) + case '\\': + { + pattern+=GetUTFOctets(pattern); +@@ -525,6 +526,7 @@ MagickExport MagickBooleanType GlobExpression( + break; + magick_fallthrough; + } ++#endif + default: + { + if (case_insensitive != MagickFalse) +diff --git a/MagickCore/utility-private.h b/MagickCore/utility-private.h +index b3d951c..c28d4c5 100644 +--- a/MagickCore/utility-private.h ++++ b/MagickCore/utility-private.h +@@ -252,6 +252,121 @@ static inline FILE *popen_utf8(const char *command,const char *type) + #endif + } + ++static inline char *realpath_utf8(const char *path) ++{ ++#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) ++#if defined(MAGICKCORE_HAVE_REALPATH) ++ return(realpath(path,(char *) NULL)); ++#else ++ return(AcquireString(path)); ++#endif ++#else ++ char ++ *real_path; ++ ++ DWORD ++ final_path_length, ++ full_path_length; ++ ++ HANDLE ++ file_handle; ++ ++ int ++ length, ++ utf8_length; ++ ++ wchar_t ++ *clean_path, ++ *full_path, ++ *wide_path; ++ ++ /* ++ Convert UTF-8 to UTF-16. ++ */ ++ if (path == (const char *) NULL) ++ return((char *) NULL); ++ length=MultiByteToWideChar(CP_UTF8,0,path,-1,NULL,0); ++ if (length <= 0) ++ return((char *) NULL); ++ wide_path=(wchar_t *) AcquireQuantumMemory(length,sizeof(wchar_t)); ++ if (wide_path == (wchar_t *) NULL) ++ return((char *) NULL); ++ MultiByteToWideChar(CP_UTF8,0,path,-1,wide_path,length); ++ /* ++ Normalize syntactically. ++ */ ++ full_path_length=GetFullPathNameW(wide_path,0,NULL,NULL); ++ if (full_path_length == 0) ++ { ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ return((char *) NULL); ++ } ++ full_path=(wchar_t *) AcquireQuantumMemory(full_path_length,sizeof(wchar_t)); ++ if (full_path == (wchar_t *) NULL) ++ { ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ return((char *) NULL); ++ } ++ GetFullPathNameW(wide_path,full_path_length,full_path,NULL); ++ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); ++ /* ++ Open the file/directory to resolve symlinks. ++ */ ++ file_handle=CreateFileW(full_path,GENERIC_READ,FILE_SHARE_READ | ++ FILE_SHARE_WRITE | FILE_SHARE_DELETE,NULL,OPEN_EXISTING, ++ FILE_FLAG_BACKUP_SEMANTICS,NULL); ++ if (file_handle != INVALID_HANDLE_VALUE) ++ { ++ /* ++ Resolve final canonical path. ++ */ ++ final_path_length=GetFinalPathNameByHandleW(file_handle,NULL,0, ++ FILE_NAME_NORMALIZED); ++ if (final_path_length == 0) ++ { ++ CloseHandle(file_handle); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return((char *) NULL); ++ } ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ full_path=(wchar_t *) AcquireQuantumMemory(final_path_length, ++ sizeof(wchar_t)); ++ if (full_path == (wchar_t *) NULL) ++ { ++ CloseHandle(file_handle); ++ return((char *) NULL); ++ } ++ GetFinalPathNameByHandleW(file_handle,full_path,final_path_length, ++ FILE_NAME_NORMALIZED); ++ CloseHandle(file_handle); ++ } ++ /* ++ Remove \\?\ prefix for POSIX-like behavior. ++ */ ++ clean_path=full_path; ++ if (wcsncmp(full_path,L"\\\\?\\",4) == 0) ++ clean_path=full_path+4; ++ /* ++ Convert UTF-16 to UTF-8. ++ */ ++ utf8_length=WideCharToMultiByte(CP_UTF8,0,clean_path,-1,NULL,0,NULL,NULL); ++ if (utf8_length <= 0) ++ { ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return NULL; ++ } ++ real_path=(char *) AcquireQuantumMemory(utf8_length,sizeof(char)); ++ if (real_path == (char *) NULL) ++ { ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return NULL; ++ } ++ WideCharToMultiByte(CP_UTF8,0,clean_path,-1,real_path,utf8_length,NULL,NULL); ++ full_path=(wchar_t *) RelinquishMagickMemory(full_path); ++ return(real_path); ++#endif ++} ++ + static inline int remove_utf8(const char *path) + { + #if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) +diff --git a/MagickCore/utility.c b/MagickCore/utility.c +index bbeef37..4fd6e9c 100644 +--- a/MagickCore/utility.c ++++ b/MagickCore/utility.c +@@ -1042,16 +1042,23 @@ MagickPrivate MagickBooleanType GetExecutionPath(char *path,const size_t extent) + #if defined(MAGICKCORE_HAVE__NSGETEXECUTABLEPATH) + { + char +- executable_path[PATH_MAX << 1], +- execution_path[PATH_MAX+1]; ++ executable_path[PATH_MAX << 1]; + + uint32_t + length; + + length=sizeof(executable_path); +- if ((_NSGetExecutablePath(executable_path,&length) == 0) && +- (realpath(executable_path,execution_path) != (char *) NULL)) +- (void) CopyMagickString(path,execution_path,extent); ++ if (_NSGetExecutablePath(executable_path,&length) == 0) ++ { ++ char ++ *real_path = realpath_utf8(executable_path); ++ ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,extent); ++ real_path=DestroyString(real_path); ++ } ++ } + } + #endif + #if defined(MAGICKCORE_HAVE_GETEXECNAME) +@@ -1097,10 +1104,13 @@ MagickPrivate MagickBooleanType GetExecutionPath(char *path,const size_t extent) + if (count != -1) + { + char +- execution_path[PATH_MAX+1]; ++ *real_path = realpath_utf8(program_name); + +- if (realpath(program_name,execution_path) != (char *) NULL) +- (void) CopyMagickString(path,execution_path,extent); ++ if (real_path != (char *) NULL) ++ { ++ (void) CopyMagickString(path,real_path,extent); ++ real_path=DestroyString(real_path); ++ } + } + if (program_name != program_invocation_name) + program_name=(char *) RelinquishMagickMemory(program_name); +@@ -1882,7 +1892,7 @@ MagickPrivate MagickBooleanType ShredFile(const char *path) + { + char + *property; +- ++ + passes=0; + property=GetEnvironmentValue("MAGICK_SHRED_PASSES"); + if (property != (char *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25966.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25966.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25966.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25966.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,51 @@ +From: Dirk Lemstra +Date: Tue, 3 Feb 2026 20:00:28 +0100 +Subject: Block reading from fd: in our more secure policies by default + (GHSA-xwc6-v6g8-pw2h) + +(cherry picked from commit 8d4c67a90ae458fb36393a05c0069e9123ac174c) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174c +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h +--- + config/policy-secure.xml | 1 + + config/policy-websafe.xml | 1 + + www/security-policy.html | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/config/policy-secure.xml b/config/policy-secure.xml +index 0d312d2..4239822 100644 +--- a/config/policy-secure.xml ++++ b/config/policy-secure.xml +@@ -88,6 +88,7 @@ + + + ++ + + + +diff --git a/config/policy-websafe.xml b/config/policy-websafe.xml +index 05327e3..544bf74 100644 +--- a/config/policy-websafe.xml ++++ b/config/policy-websafe.xml +@@ -84,6 +84,7 @@ + + + ++ + + + +diff --git a/www/security-policy.html b/www/security-policy.html +index af8c206..b254962 100644 +--- a/www/security-policy.html ++++ b/www/security-policy.html +@@ -250,6 +250,7 @@ + <policy domain="filter" rights="none" pattern="*"/> + <!-- Don't read/write from/to stdin/stdout. --> + <policy domain="path" rights="none" pattern="-"/> ++ <policy domain="path" rights="none" pattern="fd:*"/> + <!-- don't read sensitive paths. --> + <policy domain="path" rights="none" pattern="/etc/*"/> + <!-- Indirect reads are not permitted. --> diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25967.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25967.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25967.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25967.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,33 @@ +From: Cristy +Date: Sat, 31 Jan 2026 12:59:33 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4 + +a stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. + +(cherry picked from commit 9afe96cc325da1e4349fbd7418675af2f8708c10) + +origin: https://github.com/ImageMagick/ImageMagick/commit/9afe96cc325da1e4349fbd7418675af2f8708c10 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4 +--- + coders/ftxt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/ftxt.c b/coders/ftxt.c +index d665bec..e9bb47f 100644 +--- a/coders/ftxt.c ++++ b/coders/ftxt.c +@@ -197,11 +197,11 @@ static int ReadInt(Image * image,MagickBooleanType *eofInp,int *chPushed, + if (p-buffer >= MaxTextExtent) + { + *eofInp=MagickTrue; +- continue; ++ break; + } + chIn=ReadChar(image,chPushed); + } +- if (p==buffer) ++ if (p == buffer) + { + *eofInp=MagickTrue; + return(0); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25968.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25968.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25968.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25968.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,34 @@ +From: Dirk Lemstra +Date: Tue, 3 Feb 2026 22:40:04 +0100 +Subject: Patch to resolve possible out of bounds write in the msl decoder + (GHSA-3mwp-xqp2-q6ph). + +(cherry picked from commit 56f02958890b820cf2d0a6ecb04eb6f58ea75628) + +origin: https://github.com/ImageMagick/ImageMagick/commit/56f02958890b820cf2d0a6ecb04eb6f58ea75628 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3mwp-xqp2-q6ph +--- + coders/msl.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 9facbf2..4af3a71 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -5827,11 +5827,12 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Quantum opac = OpaqueAlpha; + ssize_t len = (ssize_t) strlen( value ); + +- if (value[len-1] == '%') { +- char tmp[100]; ++ if ((len > 0) && (value[len-1] == '%')) { ++ char *tmp = AcquireString(value); + (void) CopyMagickString(tmp,value,(size_t) len); +- opac = StringToLong( tmp ); +- opac = (int)(QuantumRange * ((float)opac/100)); ++ opac = (Quantum) StringToLong( tmp ); ++ tmp=DestroyString(tmp); ++ opac = (Quantum)(QuantumRange * ((float)opac/100)); + } else + opac = StringToLong( value ); + (void) SetImageAlpha( msl_info->image[n], (Quantum) opac, diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25969.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25969.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25969.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25969.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,58 @@ +From: Cristy +Date: Wed, 28 Jan 2026 20:33:56 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm + +a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. + +(cherry picked from commit a253d1b124ebdcc2832daac6f9a35c362635b40e) + +[backport] +- do not change border parameters, keep old parameter in patch context + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/a253d1b124ebdcc2832daac6f9a35c362635b40e +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm +--- + coders/ashlar.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/coders/ashlar.c b/coders/ashlar.c +index a44976f..1984215 100644 +--- a/coders/ashlar.c ++++ b/coders/ashlar.c +@@ -543,7 +543,8 @@ static Image *ASHLARImage(ImageInfo *image_info,Image *image, + geometry.height=(size_t) geometry.height/7; + geometry.x=(ssize_t) pow((double) geometry.width,0.25); + geometry.y=(ssize_t) pow((double) geometry.height,0.25); +- image_info->extract=AcquireString(""); ++ if (image_info->extract == (char *) NULL) ++ image_info->extract=AcquireString(""); + if (image_info->extract != (char *) NULL) + (void) FormatLocaleString(image_info->extract,MagickPathExtent, + "%gx%g%+g%+g",(double) geometry.width,(double) geometry.height, +@@ -707,7 +708,6 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info, + if (value != (const char *) NULL) + tiles_per_page=(size_t) MagickMax(StringToInteger(value),1); + ashlar_images=NewImageList(); +- write_info=CloneImageInfo(image_info); + for (i=0; i < (ssize_t) GetImageListLength(image); i+=(ssize_t) tiles_per_page) + { + char +@@ -726,7 +726,9 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info, + ashlar_images=DestroyImageList(ashlar_images); + break; + } ++ write_info=CloneImageInfo(image_info); + ashlar_image=ASHLARImage(write_info,clone_images,exception); ++ write_info=DestroyImageInfo(write_info); + clone_images=DestroyImageList(clone_images); + if (ashlar_image == (Image *) NULL) + { +@@ -741,6 +743,7 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info, + ashlar_images=GetFirstImageInList(ashlar_images); + (void) CopyMagickString(ashlar_images->filename,image_info->filename, + MagickPathExtent); ++ write_info=CloneImageInfo(image_info); + *write_info->magick='\0'; + (void) SetImageInfo(write_info,(unsigned int) + GetImageListLength(ashlar_images),exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,134 @@ +From: Cristy +Date: Sun, 1 Feb 2026 13:55:34 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr + +(cherry picked from commit 729253dc16e1a1ec4cac891a12d597e3fa9336b3) + +a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/729253dc16e1a1ec4cac891a12d597e3fa9336b3 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr +--- + coders/sixel.c | 39 +++++++++++++++++++++------------------ + 1 file changed, 21 insertions(+), 18 deletions(-) + +diff --git a/coders/sixel.c b/coders/sixel.c +index aa9ce70..a75ee32 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -250,7 +250,6 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + c, + color_index, + g, +- i, + n, + max_color_index, + max_x, +@@ -261,23 +260,24 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + r, + repeat_count, + sixel_palet[SIXEL_PALETTE_MAX], +- sixel_vertical_mask, +- x, +- y; ++ sixel_vertical_mask; + + sixel_pixel_t + *dmbuf, + *imbuf; + + size_t +- extent, +- offset; ++ extent; + + ssize_t + dmsx, + dmsy, ++ i, + imsx, +- imsy; ++ imsy, ++ offset, ++ x, ++ y; + + extent=strlen((char *) p); + position_x=position_y=0; +@@ -294,7 +294,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + imsy=2048; + if (SetImageExtent(image,(size_t) imsx,(size_t) imsy,exception) == MagickFalse) + return(MagickFalse); +- imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx,(size_t) imsy*sizeof(sixel_pixel_t)); ++ imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx, ++ (size_t) imsy*sizeof(sixel_pixel_t)); + if (imbuf == (sixel_pixel_t *) NULL) + return(MagickFalse); + for (n = 0; n < 16; n++) +@@ -315,8 +316,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + sixel_palet[n++]=SIXEL_RGB(i*11,i*11,i*11); + for (; n < SIXEL_PALETTE_MAX; n++) + sixel_palet[n]=SIXEL_RGB(255,255,255); +- for (i = 0; i < imsx * imsy; i++) +- imbuf[i]=background_color_index; ++ for (i = 0; i < (imsx*imsy); i++) ++ imbuf[i]=(sixel_pixel_t) background_color_index; + while (*p != '\0') + { + if ((p[0] == '\033' && p[1] == 'P') || (*p == 0x90)) +@@ -409,7 +410,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + } + (void) memset(dmbuf,background_color_index,(size_t) dmsx*(size_t) + dmsy*sizeof(sixel_pixel_t)); +- for (y = 0; y < imsy; ++y) ++ for (y=0; y < imsy; ++y) + (void) memcpy(dmbuf+dmsx*y,imbuf+imsx*y,(size_t) imsx* + sizeof(sixel_pixel_t)); + imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); +@@ -486,7 +487,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + } + else if ((*p >= '?') && (*p <= '\177')) + { +- if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6))) ++ if ((imsx < ((ssize_t) position_x+repeat_count)) || ++ (imsy < ((ssize_t) position_y+6))) + { + ssize_t + nx, +@@ -495,7 +497,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + nx=imsx*2; + ny=imsy*2; + +- while ((nx < (position_x + repeat_count)) || (ny < (position_y + 6))) ++ while ((nx < ((ssize_t) position_x+repeat_count)) || (ny < ((ssize_t) position_y+6))) + { + nx *= 2; + ny *= 2; +@@ -535,9 +537,9 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + { + if ((b & sixel_vertical_mask) != 0) + { +- offset=(size_t) (imsx*((ssize_t) position_y+i)+ ++ offset=(ssize_t) (imsx*((ssize_t) position_y+i)+ + (ssize_t) position_x); +- if (offset >= (size_t) (imsx*imsy)) ++ if (offset >= (imsx*imsy)) + { + imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); + return(MagickFalse); +@@ -567,10 +569,11 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + } + for (y = position_y + i; y < position_y + i + n; ++y) + { +- offset=(size_t) ((ssize_t) imsx*y+(ssize_t) position_x); +- if ((offset+(size_t) repeat_count) >= (size_t) (imsx*imsy)) ++ offset=(imsx*y+position_x); ++ if ((offset+repeat_count) >= (imsx*imsy)) + { +- imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); ++ imbuf=(sixel_pixel_t *) ++ RelinquishMagickMemory(imbuf); + return(MagickFalse); + } + for (x = 0; x < repeat_count; x++) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25970_pre1.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,52 @@ +From: Cristy +Date: Wed, 28 Jan 2026 19:50:14 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4x + +This fix int to size_t and is needed for fully fix CVE-2026-25970 + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/266e59ed8d886a76355c863bd38ff5ac34537673 +(cherry picked from commit 266e59ed8d886a76355c863bd38ff5ac34537673) +--- + coders/sixel.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/coders/sixel.c b/coders/sixel.c +index 11d857d..aa9ce70 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -249,12 +249,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + background_color_index, + c, + color_index, +- dmsx, +- dmsy, + g, + i, +- imsx, +- imsy, + n, + max_color_index, + max_x, +@@ -277,6 +273,12 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + extent, + offset; + ++ ssize_t ++ dmsx, ++ dmsy, ++ imsx, ++ imsy; ++ + extent=strlen((char *) p); + position_x=position_y=0; + max_x=max_y=0; +@@ -486,7 +488,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + { + if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6))) + { +- int ++ ssize_t + nx, + ny; + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25971.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25971.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25971.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25971.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,305 @@ +From: Dirk Lemstra +Date: Tue, 3 Feb 2026 23:22:26 +0100 +Subject: Keep a splay tree of read files to prevent a stack overflow + (GHSA-8mpr-6xr2-chhc) + +(cherry picked from commit 9313e530b37272b748898febd42b5949756f0179) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/9313e530b37272b748898febd42b5949756f0179 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8mpr-6xr2-chhc +--- + MagickCore/draw.c | 52 +++++++++++----------------------------------------- + coders/msl.c | 26 +++++++++++++++++++++++++- + coders/svg.c | 48 ++++++++++++++++++++++++++++++++++++++---------- + 3 files changed, 74 insertions(+), 52 deletions(-) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 3f87346..d1c0651 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -1612,7 +1612,7 @@ static Image *DrawClippingMask(Image *image,const DrawInfo *draw_info, + clone_info=DestroyDrawInfo(clone_info); + separate_mask=SeparateImage(clip_mask,AlphaChannel,exception); + if (separate_mask == (Image *) NULL) +- status=MagickFalse; ++ status=MagickFalse; + else + { + clip_mask=DestroyImage(clip_mask); +@@ -3456,7 +3456,7 @@ static MagickBooleanType RenderMVGContent(Image *image, + continue; + break; + } +- if ((q == (char *) NULL) || (*q == '\0') || ++ if ((q == (char *) NULL) || (*q == '\0') || + (p == (char *) NULL) || ((q-4) < p)) + { + status=MagickFalse; +@@ -4378,7 +4378,7 @@ static MagickBooleanType RenderMVGContent(Image *image, + case PathPrimitive: + { + coordinates=(double) TracePath(&mvg_info,token,exception); +- primitive_info=(*mvg_info.primitive_info); ++ primitive_info=(*mvg_info.primitive_info); + if (coordinates < 0.0) + { + status=MagickFalse; +@@ -5647,57 +5647,27 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image, + else + if (*primitive_info->text != '\0') + { +- const MagickInfo +- *magick_info; +- +- MagickBooleanType +- path_status; +- +- struct stat +- attributes; +- + /* + Read composite image. + */ + (void) CopyMagickString(clone_info->filename,primitive_info->text, + MagickPathExtent); + (void) SetImageInfo(clone_info,1,exception); +- magick_info=GetMagickInfo(clone_info->magick,exception); +- if ((magick_info != (const MagickInfo*) NULL) && +- (LocaleCompare(magick_info->magick_module,"SVG") == 0)) +- { +- (void) ThrowMagickException(exception,GetMagickModule(), +- CorruptImageError,"ImageTypeNotSupported","`%s'", +- clone_info->filename); +- clone_info=DestroyImageInfo(clone_info); +- break; +- } + (void) CopyMagickString(clone_info->filename,primitive_info->text, + MagickPathExtent); + if (clone_info->size != (char *) NULL) + clone_info->size=DestroyString(clone_info->size); + if (clone_info->extract != (char *) NULL) + clone_info->extract=DestroyString(clone_info->extract); +- path_status=GetPathAttributes(clone_info->filename,&attributes); +- if (path_status != MagickFalse) +- { +- if (S_ISCHR(attributes.st_mode) == 0) +- composite_images=ReadImage(clone_info,exception); +- else +- (void) ThrowMagickException(exception,GetMagickModule(), +- FileOpenError,"UnableToOpenFile","`%s'", +- clone_info->filename); +- } ++ if ((LocaleCompare(clone_info->magick,"ftp") != 0) && ++ (LocaleCompare(clone_info->magick,"http") != 0) && ++ (LocaleCompare(clone_info->magick,"https") != 0) && ++ (LocaleCompare(clone_info->magick,"mvg") != 0) && ++ (LocaleCompare(clone_info->magick,"vid") != 0)) ++ composite_images=ReadImage(clone_info,exception); + else +- if ((LocaleCompare(clone_info->magick,"ftp") != 0) && +- (LocaleCompare(clone_info->magick,"http") != 0) && +- (LocaleCompare(clone_info->magick,"https") != 0) && +- (LocaleCompare(clone_info->magick,"mvg") != 0) && +- (LocaleCompare(clone_info->magick,"vid") != 0)) +- composite_images=ReadImage(clone_info,exception); +- else +- (void) ThrowMagickException(exception,GetMagickModule(), +- FileOpenError,"UnableToOpenFile","`%s'",clone_info->filename); ++ (void) ThrowMagickException(exception,GetMagickModule(), ++ FileOpenError,"UnableToOpenFile","`%s'",clone_info->filename); + } + clone_info=DestroyImageInfo(clone_info); + if (composite_images == (Image *) NULL) +diff --git a/coders/msl.c b/coders/msl.c +index 4af3a71..37a669c 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -84,6 +84,7 @@ + #include "MagickCore/segment.h" + #include "MagickCore/shear.h" + #include "MagickCore/signature.h" ++#include "MagickCore/splay-tree.h" + #include "MagickCore/statistic.h" + #include "MagickCore/static.h" + #include "MagickCore/string_.h" +@@ -141,6 +142,12 @@ typedef struct _MSLInfo + *group_info; + } MSLInfo; + ++/* ++ Global declarations. ++*/ ++static SplayTreeInfo ++ *msl_tree = (SplayTreeInfo *) NULL; ++ + /* + Forward declarations. + */ +@@ -4770,13 +4777,24 @@ static void MSLStartElement(void *context,const xmlChar *tag, + if (LocaleCompare(keyword,"filename") == 0) + { + Image +- *next; ++ *next = (Image *) NULL; + + if (value == (char *) NULL) + break; ++ if (GetValueFromSplayTree(msl_tree,value) != (const char *) NULL) ++ { ++ (void) ThrowMagickException(msl_info->exception, ++ GetMagickModule(),DrawError, ++ "VectorGraphicsNestedTooDeeply","`%s'",value); ++ break; ++ } ++ (void) AddValueToSplayTree(msl_tree,ConstantString(value), ++ (void *) 1); ++ *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, + value,MagickPathExtent); + next=ReadImage(msl_info->image_info[n],exception); ++ (void) DeleteNodeFromSplayTree(msl_tree,value); + CatchException(exception); + if (next == (Image *) NULL) + continue; +@@ -7042,6 +7060,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + + /* process */ + { ++ *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, + msl_info->image[n]->filename,MagickPathExtent); + (void) SetImageInfo(msl_info->image_info[n],1,exception); +@@ -7521,6 +7540,9 @@ ModuleExport size_t RegisterMSLImage(void) + MagickInfo + *entry; + ++ if (msl_tree == (SplayTreeInfo *) NULL) ++ msl_tree=NewSplayTree(CompareSplayTreeString,RelinquishMagickMemory, ++ (void *(*)(void *)) NULL); + entry=AcquireMagickInfo("MSL","MSL","Magick Scripting Language"); + #if defined(MAGICKCORE_XML_DELEGATE) + entry->decoder=(DecodeImageHandler *) ReadMSLImage; +@@ -7841,6 +7863,8 @@ static MagickBooleanType SetMSLAttributes(MSLInfo *msl_info,const char *keyword, + ModuleExport void UnregisterMSLImage(void) + { + (void) UnregisterMagickInfo("MSL"); ++ if (msl_tree != (SplayTreeInfo *) NULL) ++ msl_tree=DestroySplayTree(msl_tree); + } + + #if defined(MAGICKCORE_XML_DELEGATE) +diff --git a/coders/svg.c b/coders/svg.c +index 0eda064..aa6a170 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -78,6 +78,8 @@ + #include "MagickCore/utility.h" + #include "coders/coders-private.h" + ++#include "MagickCore/splay-tree.h" ++ + #if defined(MAGICKCORE_XML_DELEGATE) + # include + # include +@@ -184,6 +186,12 @@ typedef struct _SVGInfo + svgDepth; + } SVGInfo; + ++/* ++ Global declarations. ++*/ ++static SplayTreeInfo ++ *svg_tree = (SplayTreeInfo *) NULL; ++ + /* + Static declarations. + */ +@@ -2652,6 +2660,31 @@ static void SVGEndElement(void *context,const xmlChar *name) + { + if (LocaleCompare((const char *) name,"image") == 0) + { ++ Image ++ *image; ++ ++ ImageInfo ++ *image_info = AcquireImageInfo(); ++ ++ if (svg_info->url == (char*) NULL) ++ { ++ (void) FormatLocaleFile(svg_info->file,"pop graphic-context\n"); ++ break; ++ } ++ if (GetValueFromSplayTree(svg_tree,svg_info->url) != (const char *) NULL) ++ { ++ (void) ThrowMagickException(svg_info->exception,GetMagickModule(), ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",svg_info->url); ++ break; ++ } ++ (void) AddValueToSplayTree(svg_tree,ConstantString(svg_info->url), ++ (void *) 1); ++ (void) CopyMagickString(image_info->filename,svg_info->url, ++ MagickPathExtent); ++ image=ReadImage(image_info,svg_info->exception); ++ if (image != (Image *) NULL) ++ image=DestroyImage(image); ++ (void) DeleteNodeFromSplayTree(svg_tree,svg_info->url); + (void) FormatLocaleFile(svg_info->file, + "image Over %g,%g %g,%g \"%s\"\n",svg_info->bounds.x, + svg_info->bounds.y,svg_info->bounds.width,svg_info->bounds.height, +@@ -3325,6 +3358,9 @@ ModuleExport size_t RegisterSVGImage(void) + MagickInfo + *entry; + ++ if (svg_tree == (SplayTreeInfo *) NULL) ++ svg_tree=NewSplayTree(CompareSplayTreeString,RelinquishMagickMemory, ++ (void *(*)(void *)) NULL); + *version='\0'; + #if defined(LIBXML_DOTTED_VERSION) + (void) CopyMagickString(version,"XML " LIBXML_DOTTED_VERSION, +@@ -3340,9 +3376,6 @@ ModuleExport size_t RegisterSVGImage(void) + entry=AcquireMagickInfo("SVG","SVG","Scalable Vector Graphics"); + entry->decoder=(DecodeImageHandler *) ReadSVGImage; + entry->encoder=(EncodeImageHandler *) WriteSVGImage; +-#if defined(MAGICKCORE_RSVG_DELEGATE) +- entry->flags^=CoderDecoderThreadSupportFlag; +-#endif + entry->mime_type=ConstantString("image/svg+xml"); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -3353,9 +3386,6 @@ ModuleExport size_t RegisterSVGImage(void) + entry->decoder=(DecodeImageHandler *) ReadSVGImage; + #endif + entry->encoder=(EncodeImageHandler *) WriteSVGImage; +-#if defined(MAGICKCORE_RSVG_DELEGATE) +- entry->flags^=CoderDecoderThreadSupportFlag; +-#endif + entry->mime_type=ConstantString("image/svg+xml"); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -3365,7 +3395,6 @@ ModuleExport size_t RegisterSVGImage(void) + entry=AcquireMagickInfo("SVG","RSVG","Librsvg SVG renderer"); + entry->decoder=(DecodeImageHandler *) ReadSVGImage; + entry->encoder=(EncodeImageHandler *) WriteSVGImage; +- entry->flags^=CoderDecoderThreadSupportFlag; + entry->mime_type=ConstantString("image/svg+xml"); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -3378,9 +3407,6 @@ ModuleExport size_t RegisterSVGImage(void) + entry->decoder=(DecodeImageHandler *) ReadSVGImage; + #endif + entry->encoder=(EncodeImageHandler *) WriteSVGImage; +-#if defined(MAGICKCORE_RSVG_DELEGATE) +- entry->flags^=CoderDecoderThreadSupportFlag; +-#endif + entry->magick=(IsImageFormatHandler *) IsSVG; + (void) RegisterMagickInfo(entry); + return(MagickImageCoderSignature); +@@ -3413,6 +3439,8 @@ ModuleExport void UnregisterSVGImage(void) + (void) UnregisterMagickInfo("RSVG"); + #endif + (void) UnregisterMagickInfo("MSVG"); ++ if (svg_tree != (SplayTreeInfo *) NULL) ++ svg_tree=DestroySplayTree(svg_tree); + } + + /* diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25982.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25982.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25982.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25982.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,72 @@ +From: Dirk Lemstra +Date: Tue, 3 Feb 2026 21:53:39 +0100 +Subject: Added checks to prevent an out of bounds read (GHSA-pmq6-8289-hx3v) + +(cherry picked from commit 4e1f5381d4ccbb6b71927e94c5d257fa883b3af7) + +origin: https://github.com/ImageMagick/ImageMagick/commit/4e1f5381d4ccbb6b71927e94c5d257fa883b3af7 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pmq6-8289-hx3v +--- + coders/dcm.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/coders/dcm.c b/coders/dcm.c +index df45d71..fdd3b93 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -2704,6 +2704,7 @@ typedef struct _DCMInfo + + size_t + bits_allocated, ++ bits_per_entry, + bytes_per_pixel, + depth, + mask, +@@ -3158,6 +3159,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + */ + (void) CopyMagickString(photometric,"MONOCHROME1 ",MagickPathExtent); + info.bits_allocated=8; ++ info.bits_per_entry=1; + info.bytes_per_pixel=1; + info.depth=8; + info.mask=0xffff; +@@ -3695,7 +3697,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + map.red[i]=(int) index; +- p+=(ptrdiff_t) 2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } +@@ -3727,7 +3729,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + map.green[i]=(int) index; +- p+=(ptrdiff_t) 2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } +@@ -3759,10 +3761,20 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + index=(unsigned short) (*p | (*(p+1) << 8)); + map.blue[i]=(int) index; +- p+=(ptrdiff_t) 2; ++ p+=(ptrdiff_t) info.bits_per_entry; + } + break; + } ++ case 0x3002: ++ { ++ /* ++ Bytes per entry. ++ */ ++ info.bits_per_entry=(size_t) datum; ++ if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2)) ++ ThrowDCMException(CorruptImageError,"ImproperImageHeader") ++ break; ++ } + default: + break; + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_1.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,692 @@ +From: Dirk Lemstra +Date: Sun, 25 Jan 2026 18:49:10 +0100 +Subject: No longer allow mutations on the first image of the list + (GHSA-fwqw-2x5x-w566) + +(cherry picked from commit b4f8e1a387dd1d0a0af516071831a235f2fdf437) + +origin: https://github.com/ImageMagick/ImageMagick/commit/b4f8e1a387dd1d0a0af516071831a235f2fdf437 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwqw-2x5x-w566 +--- + coders/msl.c | 150 +++++++++++++++++++++++++++++------------------------------ + 1 file changed, 75 insertions(+), 75 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 37a669c..da0034e 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -388,7 +388,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Add noise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || ((n < 1) || (msl_info->image[n] == (Image *) NULL))) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -464,7 +464,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Annotate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -799,7 +799,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + MagickBooleanType + stack; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -857,7 +857,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Adjusts an image's orientation + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -887,7 +887,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Blur image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -983,7 +983,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Border image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1105,7 +1105,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Add noise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1170,7 +1170,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + radius = 0.0, + sigma = 1.0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1245,7 +1245,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Chop image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1352,7 +1352,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Color floodfill image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1484,7 +1484,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Composite image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1827,7 +1827,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Contrast image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1881,7 +1881,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Crop image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -1983,7 +1983,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Cycle-colormap image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2037,7 +2037,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Despeckle image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2063,7 +2063,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare((const char *) tag,"display") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2091,7 +2091,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Annotate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2454,7 +2454,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Edge image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2520,7 +2520,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Emboss image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2599,7 +2599,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Enhance image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2628,7 +2628,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Equalize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2656,7 +2656,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare((const char *) tag, "flatten") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2687,7 +2687,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Flip image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2719,7 +2719,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Flop image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2754,7 +2754,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Frame image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -2908,7 +2908,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Gamma image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3003,7 +3003,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag,"get") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3137,7 +3137,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Implode image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3209,7 +3209,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + double + levelBlack = 0, levelGamma = 1, levelWhite = QuantumRange; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3284,7 +3284,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Magnify image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3322,7 +3322,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Map image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3410,7 +3410,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Matte floodfill image. + */ + opacity=0.0; +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3542,7 +3542,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Median-filter image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3610,7 +3610,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Minify image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3644,7 +3644,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Modulate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3774,7 +3774,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Negate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3843,7 +3843,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Normalize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3901,7 +3901,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Oil-paint image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -3969,7 +3969,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Opaque image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4079,7 +4079,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare((const char *) tag, "profile") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4193,7 +4193,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Quantize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4672,7 +4672,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Raise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4821,7 +4821,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Reduce-noise image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -4889,7 +4889,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + x=msl_info->image[n]->page.x; + y=msl_info->image[n]->page.y; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5015,7 +5015,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + x_resolution, + y_resolution; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5117,7 +5117,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Resize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5212,7 +5212,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Roll image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5291,7 +5291,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + height=msl_info->image[n]->rows; + x = y = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5373,7 +5373,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Rotate image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5437,7 +5437,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* init the values */ + double degrees = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5503,7 +5503,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Sample image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5580,7 +5580,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Scale image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5660,7 +5660,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Segment image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -5744,7 +5744,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag, "set") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -5919,7 +5919,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Shade image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6010,7 +6010,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Shear image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6110,7 +6110,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + radius = 0.0, + sigma = 1.0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6183,7 +6183,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + width = height = 0; + x = y = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6274,7 +6274,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Shear image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6363,7 +6363,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Signature image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6387,7 +6387,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Solarize image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6449,7 +6449,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Spread image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6514,7 +6514,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Image * + watermark = (Image*) NULL; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6582,7 +6582,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + Image * + stereoImage = (Image*) NULL; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -6649,7 +6649,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Strip image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6679,7 +6679,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + index, + swap_index; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6745,7 +6745,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Swirl image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6809,7 +6809,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Sync image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6842,7 +6842,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Texture image. + */ +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -6897,7 +6897,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* init the values */ + double threshold = 0; + +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -6942,7 +6942,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag, "transparent") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -6986,7 +6986,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag, "trim") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined",(const char *) tag); + break; +@@ -7021,7 +7021,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare((const char *) tag,"write") == 0) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7118,7 +7118,7 @@ static void MSLEndElement(void *context,const xmlChar *tag) + { + if (LocaleCompare((const char *) tag,"comment") == 0 ) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -7173,7 +7173,7 @@ static void MSLEndElement(void *context,const xmlChar *tag) + { + if (LocaleCompare((const char *) tag,"label") == 0 ) + { +- if (msl_info->image[n] == (Image *) NULL) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25983_2.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,65 @@ +From: Dirk Lemstra +Date: Mon, 26 Jan 2026 21:08:30 +0100 +Subject: Run checks before accessing the image (GHSA-fwqw-2x5x-w566). + +(cherry picked from commit 257200cb21de23404dce5f8261871845d425dee5) + +origin: https://github.com/ImageMagick/ImageMagick/commit/257200cb21de23404dce5f8261871845d425dee5 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwqw-2x5x-w566 +--- + coders/msl.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index da0034e..e2ad95a 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -4883,18 +4883,17 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag,"repage") == 0) + { +- /* init the values */ +- width=msl_info->image[n]->page.width; +- height=msl_info->image[n]->page.height; +- x=msl_info->image[n]->page.x; +- y=msl_info->image[n]->page.y; +- + if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); + break; + } ++ /* init the values */ ++ width=msl_info->image[n]->page.width; ++ height=msl_info->image[n]->page.height; ++ x=msl_info->image[n]->page.x; ++ y=msl_info->image[n]->page.y; + if (attributes == (const xmlChar **) NULL) + break; + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) +@@ -5286,19 +5285,18 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + else if (LocaleCompare((const char *) tag,"roll") == 0) + { +- /* init the values */ +- width=msl_info->image[n]->columns; +- height=msl_info->image[n]->rows; +- x = y = 0; +- + if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); + break; + } ++ /* init the values */ ++ width=msl_info->image[n]->columns; ++ height=msl_info->image[n]->rows; ++ x = y = 0; + if (attributes == (const xmlChar **) NULL) +- break; ++ break; + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) + { + keyword=(const char *) attributes[i++]; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25985.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25985.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25985.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25985.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,62 @@ +From: Cristy +Date: Sat, 7 Feb 2026 22:30:57 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84 + +a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. + +(cherry picked from commit 1a51eb9af00c36724660e294520878fd1f13e312) + +origin: https://github.com/ImageMagick/ImageMagick/commit/1a51eb9af00c36724660e294520878fd1f13e312 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84 +--- + MagickCore/draw.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index d1c0651..2faa8f0 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -2297,7 +2297,7 @@ static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info, + extent=(double) mvg_info->offset+pad+(PrimitiveExtentPad+1)*(double) quantum; + if (extent <= (double) *mvg_info->extent) + return(MagickTrue); +- if ((extent >= (double) MAGICK_SSIZE_MAX) || (IsNaN(extent) != 0)) ++ if ((extent >= (double) GetMaxMemoryRequest()) || (IsNaN(extent) != 0)) + return(MagickFalse); + if (mvg_info->offset > 0) + { +@@ -6401,7 +6401,7 @@ static MagickBooleanType TraceBezier(MVGInfo *mvg_info, + for (j=i+1; j < (ssize_t) number_coordinates; j++) + { + alpha=fabs(primitive_info[j].point.x-primitive_info[i].point.x); +- if (alpha > (double) MAGICK_SSIZE_MAX) ++ if (alpha > (double) GetMaxMemoryRequest()) + { + (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), + ResourceLimitError,"MemoryAllocationFailed","`%s'",""); +@@ -6410,18 +6410,18 @@ static MagickBooleanType TraceBezier(MVGInfo *mvg_info, + if (alpha > (double) quantum) + quantum=(size_t) alpha; + alpha=fabs(primitive_info[j].point.y-primitive_info[i].point.y); +- if (alpha > (double) MAGICK_SSIZE_MAX) +- { +- (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), +- ResourceLimitError,"MemoryAllocationFailed","`%s'",""); +- return(MagickFalse); +- } + if (alpha > (double) quantum) + quantum=(size_t) alpha; + } + } + primitive_info=(*mvg_info->primitive_info)+mvg_info->offset; + quantum=MagickMin(quantum/number_coordinates,BezierQuantum); ++ if (quantum > (double) GetMaxMemoryRequest()) ++ { ++ (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), ++ ResourceLimitError,"MemoryAllocationFailed","`%s'",""); ++ return(MagickFalse); ++ } + coefficients=(double *) AcquireQuantumMemory(number_coordinates, + sizeof(*coefficients)); + points=(PointInfo *) AcquireQuantumMemory(quantum,number_coordinates* diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25986.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25986.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25986.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25986.patch 2026-03-04 21:59:33.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Sat, 7 Feb 2026 17:42:01 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2 + +A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. + +(cherry picked from commit b9c80ad3ca802b6883da25f153c4fdf72c017eba) + +origin: https://github.com/ImageMagick/ImageMagick/commit/b9c80ad3ca802b6883da25f153c4fdf72c017eba +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2 +--- + coders/yuv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/yuv.c b/coders/yuv.c +index 1817c43..21486fc 100644 +--- a/coders/yuv.c ++++ b/coders/yuv.c +@@ -261,7 +261,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) + chroma_image->columns,1,exception); + if (chroma_pixels == (Quantum *) NULL) + break; +- for (x=0; x < (ssize_t) image->columns; x+=2) ++ for (x=0; x < (ssize_t) (image->columns-1); x+=2) + { + SetPixelRed(chroma_image,0,chroma_pixels); + if (quantum == 1) +@@ -740,7 +740,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image, + exception); + if (s == (const Quantum *) NULL) + break; +- for (x=0; x < (ssize_t) yuv_image->columns; x+=2) ++ for (x=0; x < (ssize_t) (yuv_image->columns-1); x+=2) + { + if (quantum == 1) + { diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25987.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25987.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25987.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25987.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,39 @@ +From: Cristy +Date: Sat, 7 Feb 2026 18:03:19 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7 + +a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding + +(cherry picked from commit bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7 +--- + coders/map.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/coders/map.c b/coders/map.c +index 6b0f992..f5dbcdb 100644 +--- a/coders/map.c ++++ b/coders/map.c +@@ -160,6 +160,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (status == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + depth=GetImageQuantumDepth(image,MagickTrue); ++ if ((depth <= 8) && (image->colors > 256)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + packet_size=(size_t) (depth/8); + pixels=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size* + sizeof(*pixels)); +@@ -236,8 +238,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception) + p++; + if (image->colors > 256) + { +- index=ConstrainColormapIndex(image,(ssize_t) (((size_t) index << 8)+ +- (size_t) (*p)),exception); ++ index=(Quantum) ConstrainColormapIndex(image,(ssize_t) ++ (((size_t) index << 8)+(size_t) (*p)),exception); + p++; + } + SetPixelIndex(image,index,q); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25988.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25988.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25988.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25988.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,45 @@ +From: Cristy +Date: Sat, 7 Feb 2026 17:53:18 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7 + +sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks + +(cherry picked from commit 4354fc1d554ec2e6314aed13536efa7bde9593d2) + +origin: https://github.com/ImageMagick/ImageMagick/commit/4354fc1d554ec2e6314aed13536efa7bde9593d2 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7 +--- + coders/msl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index e2ad95a..be45dbf 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -240,7 +240,7 @@ static int IsPathDirectory(const char *path) + return(1); + } + +-static void MSLPushImage(MSLInfo *msl_info,Image *image) ++static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image) + { + ssize_t + n; +@@ -274,6 +274,7 @@ static void MSLPushImage(MSLInfo *msl_info,Image *image) + ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed") + if (msl_info->number_groups != 0) + msl_info->group_info[msl_info->number_groups-1].numImages++; ++ return(n); + } + + static void MSLPopImage(MSLInfo *msl_info) +@@ -3071,7 +3072,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare((const char *) tag,"image") == 0) + { +- MSLPushImage(msl_info,(Image *) NULL); ++ n=MSLPushImage(msl_info,(Image *) NULL); + if (attributes == (const xmlChar **) NULL) + break; + for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,82 @@ +From: Cristy +Date: Sat, 7 Feb 2026 16:06:32 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7355-pwx2-pm84 + +A crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast + +(cherry picked from commit 5a545ab9d6c3d12a6a76cfed32b87df096729d95) + +origin: https://github.com/ImageMagick/ImageMagick/commit/5a545ab9d6c3d12a6a76cfed32b87df096729d95 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7355-pwx2-pm84 +--- + MagickCore/image-private.h | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h +index 2bb1b6b..8e0f960 100644 +--- a/MagickCore/image-private.h ++++ b/MagickCore/image-private.h +@@ -86,7 +86,7 @@ static inline int CastDoubleToInt(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) MAGICK_INT_MAX)) ++ if (value >= ((double) MAGICK_INT_MAX)) + { + errno=ERANGE; + return(MAGICK_INT_MAX); +@@ -110,7 +110,7 @@ static inline ptrdiff_t CastDoubleToPtrdiffT(const double x) + errno=ERANGE; + return(MAGICK_PTRDIFF_MIN); + } +- if (value > ((double) MAGICK_PTRDIFF_MAX)) ++ if (value >= ((double) MAGICK_PTRDIFF_MAX)) + { + errno=ERANGE; + return(MAGICK_PTRDIFF_MAX); +@@ -134,7 +134,7 @@ static inline QuantumAny CastDoubleToQuantumAny(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) ((QuantumAny) ~0))) ++ if (value >= ((double) ((QuantumAny) ~0))) + { + errno=ERANGE; + return((QuantumAny) ~0); +@@ -158,7 +158,7 @@ static inline size_t CastDoubleToSizeT(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) MAGICK_SIZE_MAX)) ++ if (value >= ((double) MAGICK_SIZE_MAX)) + { + errno=ERANGE; + return(MAGICK_SIZE_MAX); +@@ -183,7 +183,7 @@ static inline ssize_t CastDoubleToSsizeT(const double x) + errno=ERANGE; + return(MAGICK_SSIZE_MIN); + } +- if (value > ((double) MAGICK_SSIZE_MAX)) ++ if (value >= ((double) MAGICK_SSIZE_MAX)) + { + errno=ERANGE; + return(MAGICK_SSIZE_MAX); +@@ -206,7 +206,7 @@ static inline unsigned int CastDoubleToUInt(const double x) + errno=ERANGE; + return((QuantumAny) 0); + } +- if (value > ((double) MAGICK_UINT_MAX)) ++ if (value >= ((double) MAGICK_UINT_MAX)) + { + errno=ERANGE; + return(MAGICK_UINT_MAX); +@@ -230,7 +230,7 @@ static inline unsigned short CastDoubleToUShort(const double x) + errno=ERANGE; + return(0); + } +- if (value > ((double) MAGICK_USHORT_MAX)) ++ if (value >= ((double) MAGICK_USHORT_MAX)) + { + errno=ERANGE; + return(MAGICK_USHORT_MAX); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-25989_pre1.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,93 @@ +From: Cristy +Date: Wed, 4 Feb 2026 19:23:38 -0500 +Subject: https://github.com/ImageMagick/ImageMagick/issues/8556 + +(cherry picked from commit 4403defdd4e23f98d40ab21dda38f20e5d51e09f) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/403defdd4e23f98d40ab21dda38f20e5d51e09f +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7355-pwx2-pm84 +--- + MagickCore/image-private.h | 25 +++++++++++++++++++++++++ + coders/dcm.c | 11 +++++++---- + 2 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h +index 0be4ed4..2bb1b6b 100644 +--- a/MagickCore/image-private.h ++++ b/MagickCore/image-private.h +@@ -43,6 +43,7 @@ extern "C" { + #define LoadImageTag "Load/Image" + #define Magick2PI 6.28318530717958647692528676655900576839433879875020 + #define MagickAbsoluteValue(x) ((x) < 0 ? -(x) : (x)) ++#define MAGICK_INT_MAX (INT_MAX) + #define MagickPHI 1.61803398874989484820458683436563811772030917980576 + #define MagickPI2 1.57079632679489661923132169163975144209858469968755 + #define MagickPI 3.1415926535897932384626433832795028841971693993751058209749445923078164062 +@@ -69,6 +70,30 @@ extern "C" { + #define UndefinedCompressionQuality 0UL + #define UndefinedTicksPerSecond 100L + ++static inline int CastDoubleToInt(const double x) ++{ ++ double ++ value; ++ ++ if (IsNaN(x) != 0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ if (value > ((double) MAGICK_INT_MAX)) ++ { ++ errno=ERANGE; ++ return(MAGICK_INT_MAX); ++ } ++ return((int) value); ++} ++ + static inline ptrdiff_t CastDoubleToPtrdiffT(const double x) + { + double +diff --git a/coders/dcm.c b/coders/dcm.c +index fdd3b93..3085bb5 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -71,6 +71,8 @@ + #include "MagickCore/string_.h" + #include "MagickCore/string-private.h" + #include "coders/coders-private.h" ++#include "MagickCore/statistic-private.h" ++ + + /* + Dicom medical image declarations. +@@ -2920,7 +2922,7 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info, + + scaled_value=pixel_value*info->rescale_slope+ + info->rescale_intercept; +- index=(int) scaled_value; ++ index=CastDoubleToInt(scaled_value); + if (info->window_width != 0) + { + double +@@ -2935,10 +2937,11 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info, + index=0; + else + if (scaled_value > window_max) +- index=(int) info->max_value; ++ index=CastDoubleToInt(info->max_value); + else +- index=(int) (info->max_value*(((scaled_value- +- info->window_center-0.5)/(info->window_width-1))+0.5)); ++ index=CastDoubleToInt(info->max_value*(((scaled_value- ++ info->window_center-0.5)*MagickSafeReciprocal( ++ info->window_width-1.0))+0.5)); + } + } + index&=(ssize_t) info->mask; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26066.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26066.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26066.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26066.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,44 @@ +From: Dirk Lemstra +Date: Thu, 12 Feb 2026 07:49:05 +0100 +Subject: Fixed possible infinite loop (GHSA-v994-63cg-9wj3) + +origin: https://github.com/ImageMagick/ImageMagick/commit/880057ce34f6da9dff2fe3b290bbbc45b743e613 ( +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3 +--- + coders/meta.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/coders/meta.c b/coders/meta.c +index c76bbd5..55a5888 100644 +--- a/coders/meta.c ++++ b/coders/meta.c +@@ -1904,7 +1904,7 @@ static int formatIPTC(Image *ifile, Image *ofile) + foundiptc = 0; /* found the IPTC-Header */ + tagsfound = 0; /* number of tags found */ + +- c = ReadBlobByte(ifile); ++ c=ReadBlobByte(ifile); + while (c != EOF) + { + if (c == 0x1c) +@@ -1915,17 +1915,17 @@ static int formatIPTC(Image *ifile, Image *ofile) + return(-1); + else + { +- c=0; ++ c=ReadBlobByte(ifile); + continue; + } + } + + /* we found the 0x1c tag and now grab the dataset and record number tags */ +- c = ReadBlobByte(ifile); ++ c=ReadBlobByte(ifile); + if (c == EOF) + return(-1); + dataset = (unsigned char) c; +- c = ReadBlobByte(ifile); ++ c=ReadBlobByte(ifile); + if (c == EOF) + return(-1); + recnum = (unsigned char) c; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26283.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26283.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26283.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26283.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Fri, 13 Feb 2026 18:57:09 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v + +a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails + +(cherry picked from commit c448c6920a985872072fc7be6034f678c087de9b) + +origin: https://github.com/ImageMagick/ImageMagick/commit/c448c6920a985872072fc7be6034f678c087de9b +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v +--- + coders/jpeg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/jpeg.c b/coders/jpeg.c +index 8cbfa27..7ead4e5 100644 +--- a/coders/jpeg.c ++++ b/coders/jpeg.c +@@ -2707,7 +2707,7 @@ static MagickBooleanType WriteJPEGImage_(const ImageInfo *image_info, + status=WriteJPEGImage(extent_info,jpeg_image,exception); + (void) RelinquishUniqueFileResource(jpeg_image->filename); + if (status == MagickFalse) +- continue; ++ break; + if (GetBlobSize(jpeg_image) <= extent) + minimum=jpeg_image->quality+1; + else diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26284.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26284.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26284.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26284.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Tue, 27 Jan 2026 21:45:02 +0100 +Subject: Corrected loop initialization to prevent out of bounds read + (GHSA-wrhr-rf8j-r842) + +(cherry picked from commit 0c9ffcf55763e5daf1b61dfed0deed1aa43e217f) + +Bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842 +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0c9ffcf55763e5daf1b61dfed0deed1aa43e217f +--- + coders/pcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/pcd.c b/coders/pcd.c +index e6a361c..279c85f 100644 +--- a/coders/pcd.c ++++ b/coders/pcd.c +@@ -313,7 +313,7 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, + Decode luminance or chrominance deltas. + */ + r=pcd_table[plane]; +- for (i=0; ((i < (ssize_t) length) && ((sum & r->mask) != r->sequence)); i++) ++ for (i=1; ((i < pcd_length[plane]) && ((sum & r->mask) != r->sequence)); i++) + r++; + if ((row > image->rows) || (r == (PCDTable *) NULL)) + { diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26983.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26983.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26983.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-26983.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,36 @@ +From: Cristy +Date: Mon, 16 Feb 2026 10:00:58 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8 + +the MSL interpreter crashes when processing a invalid `` element that causes it to use an image after it has been freed + +(cherry picked from commit 7cfae4da24a995fb05386d77364ff404a7cca7bc) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/7cfae4da24a995fb05386d77364ff404a7cca7bc +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8 +--- + coders/msl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index be45dbf..bee781e 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -3390,10 +3390,13 @@ static void MSLStartElement(void *context,const xmlChar *tag, + quantize_info=AcquireQuantizeInfo(msl_info->image_info[n]); + quantize_info->dither_method=dither != MagickFalse ? + RiemersmaDitherMethod : NoDitherMethod; +- (void) RemapImages(quantize_info,msl_info->image[n], +- affinity_image,exception); ++ if (affinity_image != (Image *) NULL) ++ { ++ (void) RemapImages(quantize_info,msl_info->image[n], ++ affinity_image,exception); ++ affinity_image=DestroyImage(affinity_image); ++ } + quantize_info=DestroyQuantizeInfo(quantize_info); +- affinity_image=DestroyImage(affinity_image); + break; + } + if (LocaleCompare((const char *) tag,"matte-floodfill") == 0) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27798.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27798.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27798.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27798.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Tue, 17 Feb 2026 20:14:40 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f + +A heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. + +(cherry picked from commit 0377e60b3c0d766bd7271221c95d9ee54f6a3738) + +origin: https://github.com/ImageMagick/ImageMagick/commit/0377e60b3c0d766bd7271221c95d9ee54f6a3738 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f +--- + MagickCore/visual-effects.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/visual-effects.c b/MagickCore/visual-effects.c +index 58a6ac7..0a685cc 100644 +--- a/MagickCore/visual-effects.c ++++ b/MagickCore/visual-effects.c +@@ -3566,7 +3566,7 @@ MagickExport Image *WaveletDenoiseImage(const Image *image, + } + if (AcquireMagickResource(WidthResource,4*image->columns) == MagickFalse) + ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); +- pixels_info=AcquireVirtualMemory(3*image->columns,image->rows* ++ pixels_info=AcquireVirtualMemory(4*image->columns,image->rows* + sizeof(*pixels)); + kernel=(float *) AcquireQuantumMemory(MagickMax(image->rows,image->columns)+1, + GetOpenMPMaximumThreads()*sizeof(*kernel)); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27799.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27799.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27799.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-27799.patch 2026-03-04 21:59:34.000000000 +0000 @@ -0,0 +1,36 @@ +From: Dirk Lemstra +Date: Tue, 10 Feb 2026 21:29:59 +0100 +Subject: Corrected type to avoid an overflow (GHSA-r99p-5442-q2x2) + +(cherry picked from commit e87695b3227978ad70b967b8d054baaf8ac2cced) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/e87695b3227978ad70b967b8d054baaf8ac2cced +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r99p-5442-q2x2 +--- + coders/djvu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/coders/djvu.c b/coders/djvu.c +index 64871c3..86dfb11 100644 +--- a/coders/djvu.c ++++ b/coders/djvu.c +@@ -330,7 +330,9 @@ get_page_image(LoadContext *lc, ddjvu_page_t *page, int x, int y, int w, int h, + *image; + + int +- ret, ++ ret; ++ ++ size_t + stride; + + unsigned char +@@ -349,7 +351,7 @@ get_page_image(LoadContext *lc, ddjvu_page_t *page, int x, int y, int w, int h, + stride = (type == DDJVU_PAGETYPE_BITONAL)? + (image->columns + 7)/8 : image->columns *3; + +- q = (unsigned char *) AcquireQuantumMemory(image->rows,(size_t) stride); ++ q = (unsigned char *) AcquireQuantumMemory(image->rows,stride); + if (q == (unsigned char *) NULL) + return; + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-01-21 21:54:51.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-03-04 21:59:34.000000000 +0000 @@ -64,3 +64,44 @@ CVE-2026-23874.patch CVE-2026-23876.patch CVE-2026-23952.patch +CVE-2026-24481.patch +CVE-2026-24484_1.patch +CVE-2026-24484_2.patch +CVE-2026-24485_1.patch +CVE-2026-24485_2.patch +CVE-2026-25576.patch +CVE-2026-25637.patch +CVE-2026-25638.patch +CVE-2026-25794.patch +CVE-2026-25795.patch +CVE-2026-25796.patch +CVE-2026-25797_1.patch +CVE-2026-25797_2.patch +CVE-2026-25798.patch +CVE-2026-25799.patch +CVE-2026-25897.patch +CVE-2026-25898_1.patch +CVE-2026-25898_2.patch +CVE-2026-25965.patch +CVE-2026-25966.patch +CVE-2026-25967.patch +CVE-2026-25968.patch +CVE-2026-25969.patch +CVE-2026-25970_pre1.patch +CVE-2026-25970.patch +CVE-2026-25971.patch +CVE-2026-25982.patch +CVE-2026-25983_1.patch +CVE-2026-25983_2.patch +CVE-2026-25985.patch +CVE-2026-25986.patch +CVE-2026-25987.patch +CVE-2026-25988.patch +CVE-2026-25989_pre1.patch +CVE-2026-25989.patch +CVE-2026-26066.patch +CVE-2026-26283.patch +CVE-2026-26284.patch +CVE-2026-26983.patch +CVE-2026-27798.patch +CVE-2026-27799.patch