Version in base suite: 7.1.1.43+dfsg1-1+deb13u5 Version in overlay suite: 7.1.1.43+dfsg1-1+deb13u6 Base version: imagemagick_7.1.1.43+dfsg1-1+deb13u6 Target version: imagemagick_7.1.1.43+dfsg1-1+deb13u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc changelog | 73 + patches/CVE-2026-28493_1.patch | 26 patches/CVE-2026-28493_2.patch | 34 patches/CVE-2026-28493_3.patch | 25 patches/CVE-2026-28494.patch | 61 + patches/CVE-2026-28686.patch | 37 patches/CVE-2026-28687.patch | 40 + patches/CVE-2026-28689_1.patch | 123 +++ patches/CVE-2026-28689_2.patch | 154 ++++ patches/CVE-2026-28689_pre1.patch | 593 +++++++++++++++ patches/CVE-2026-28690.patch | 60 + patches/CVE-2026-28691.patch | 33 patches/CVE-2026-28692.patch | 60 + patches/CVE-2026-28693_1.patch | 100 ++ patches/CVE-2026-28693_2.patch | 26 patches/CVE-2026-28693_pre1.patch | 49 + patches/CVE-2026-30883.patch | 42 + patches/CVE-2026-30929.patch | 28 patches/CVE-2026-30931.patch | 68 + patches/CVE-2026-30931_pre1.patch | 71 + patches/CVE-2026-30935.patch | 59 + patches/CVE-2026-30936.patch | 48 + patches/CVE-2026-30937.patch | 29 patches/CVE-2026-31853.patch | 33 patches/CVE-2026-32259.patch | 26 patches/msl-fix-post1.patch | 25 patches/msl-fix_pre1.patch | 46 + patches/msl-fix_pre2.patch | 24 patches/msl-fix_pre3.patch | 27 patches/msl-fix_pre4.patch | 41 + patches/msl-svg-coder-port-to-7.1.2-16.patch | 1030 +++++++++++++++++++++++++++ patches/series | 30 32 files changed, 3121 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptlta1qrt/imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptlta1qrt/imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc: no acceptable signature found diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-03-04 22:01:36.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-03-15 23:43:38.000000000 +0000 @@ -1,3 +1,76 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u7) trixie-security; urgency=high + + * Fix CVE-2026-28493: + An integer overflow vulnerability exists in the SIXEL decoder. + * Fix CVE-2026-28494: + A stack buffer overflow exists in ImageMagick's morphology + kernel parsing functions. User-controlled kernel strings + exceeding a buffer are copied into fixed-size stack buffers + via memcpy without bounds checking, resulting in stack + corruption. + * Fix CVE-2026-28686: + A heap-buffer-overflow vulnerability exists in the PCL + encoder due to an undersized output buffer allocation + * Fix CVE-2026-28687: + A heap use-after-free vulnerability in ImageMagick's + MSL decoder allows an attacker to trigger access to + freed memory by crafting an MSL file. + * Fix CVE-2026-28688: + A heap-use-after-free vulnerability exists in the MSL encoder, + where a cloned image is destroyed twice. The MSL coder does not support + writing MSL so the write capability has been removed. + * Fix CVE-2026-28689: + domain="path" authorization is checked before final + file open/use. A symlink swap between check-time and use + time bypasses policy-denied read/write + * Fix CVE-2026-28690: + a stack buffer overflow vulnerability exists in the + MNG encoder. There is a bounds checks missing that could + corrupting the stack with attacker-controlled data. + * Fix CVE-2026-28691: + An uninitialized pointer dereference vulnerability exists + in the JBIG decoder due to a missing check + * Fix CVE-2026-28692: + The MAT decoder uses 32-bit arithmetic due to incorrect + parenthesization resulting in a heap over-read. + * Fix CVE-2026-28693: + An integer overflow in DIB coder can result in out of + bounds read or write + * Fix CVE-2026-30883: + An extremely large image profile could result in a heap + overflow when encoding a PNG image. + * Fix CVE-2026-30929: + MagnifyImage uses a fixed-size stack buffer. + When using a specific image it is possible to overflow + this buffer and corrupt the stack. + * Fix CVE-2026-30931 + A heap-based buffer overflow in the UHDR encoder + can happen due to truncation of a value and it would + allow an out of bounds write. + * Fix CVE-2026-30935: + BilateralBlurImage contains a heap buffer over-read caused + by an incorrect conversion. When processing a crafted image + with the -bilateral-blur operation an out of bounds read + can occur. + * Fix CVE-2026-30936: + A crafted image could cause an out of bounds heap write inside the + WaveletDenoiseImage method. When processing a crafted image with + the -wavelet-denoise operation an out of bounds write can occur. + * Fix CVE-2026-30937: + A 32-bit unsigned integer overflow in the XWD (X Windows) + encoder can cause an undersized heap buffer allocation. + When writing a extremely large image an out of bounds heap + write can occur + * Fix CVE-2026-31853: + An overflow on 32-bit systems can cause a crash in the + SFW decoder when processing extremely large images. + * Fix CVE-2026-32259: + When a memory allocation fails in the sixel encoder it would + be possible to write past the end of a buffer on the stack + * Port SVG and MSL coder to 7.1.2-16 + + -- Bastien Roucariès Mon, 16 Mar 2026 00:43:38 +0100 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u6) trixie-security; urgency=high * Fix CVE-2026-24481: diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Sat, 28 Feb 2026 11:01:24 +0100 +Subject: Corrected typecast to avoid an out of bounds write + (GHSA-r39q-jr8h-gcq2) + +(cherry picked from commit 6cefe972445185cbb9c76651231d52512e0ec14b) + +origin: https://github.com/ImageMagick/ImageMagick/commit/6cefe972445185cbb9c76651231d52512e0ec14b +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r39q-jr8h-gcq2 +--- + coders/sixel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/sixel.c b/coders/sixel.c +index a75ee32..2a2470d 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -577,7 +577,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + return(MagickFalse); + } + for (x = 0; x < repeat_count; x++) +- imbuf[(int) offset+x] = color_index; ++ imbuf[(size_t) offset+x]=(sixel_pixel_t) color_index; + } + if (max_x < (position_x+repeat_count-1)) + max_x = position_x+repeat_count-1; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_2.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,34 @@ +From: Dirk Lemstra +Date: Sat, 28 Feb 2026 11:03:09 +0100 +Subject: Added checks for overflows. + +(cherry picked from commit 47a803cc139a6eebf14fca5f1d5dd25c7782cc98) + +origin: https://github.com/ImageMagick/ImageMagick/commit/47a803cc139a6eebf14fca5f1d5dd25c7782cc98 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r39q-jr8h-gcq2 +--- + coders/sixel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/sixel.c b/coders/sixel.c +index 2a2470d..cc60521 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -539,7 +539,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + { + offset=(ssize_t) (imsx*((ssize_t) position_y+i)+ + (ssize_t) position_x); +- if (offset >= (imsx*imsy)) ++ if ((offset < 0) || (offset >= (imsx*imsy))) + { + imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); + return(MagickFalse); +@@ -570,7 +570,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + for (y = position_y + i; y < position_y + i + n; ++y) + { + offset=(imsx*y+position_x); +- if ((offset+repeat_count) >= (imsx*imsy)) ++ if ((offset < 0) || ((offset+repeat_count) >= (imsx*imsy))) + { + imbuf=(sixel_pixel_t *) + RelinquishMagickMemory(imbuf); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_3.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_3.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_3.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28493_3.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,25 @@ +From: Jake Lodwick +Date: Sun, 1 Mar 2026 04:46:29 -0700 +Subject: Add overflow check to sixel write path (#8587) + +(cherry picked from commit cd7acd2c4bea5c953fae062d9ce43d11374dcb60) + +origin: https://github.com/ImageMagick/ImageMagick/commit/cd7acd2c4bea5c953fae062d9ce43d11374dcb60 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r39q-jr8h-gcq2 +--- + coders/sixel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/sixel.c b/coders/sixel.c +index cc60521..37aaaf3 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -801,6 +801,8 @@ static MagickBooleanType sixel_encode_impl(sixel_pixel_t *pixels,size_t width, + context->pos = 0; + if (ncolors < 1) + return(MagickFalse); ++ if (HeapOverflowSanityCheck(ncolors,width) != MagickFalse) ++ return(MagickFalse); + len=ncolors*width; + context->active_palette=(-1); + map=(sixel_pixel_t *) AcquireQuantumMemory(len,sizeof(sixel_pixel_t)); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28494.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28494.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28494.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28494.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,61 @@ +From: Dirk Lemstra +Date: Sat, 28 Feb 2026 11:31:15 +0100 +Subject: Added checks to avoid possible stack corruption + (GHSA-932h-jw47-73jm) + +(cherry picked from commit a3f2f8680fa01cbce731191789322419efb5954a) + +origin: https://github.com/ImageMagick/ImageMagick/commit/a3f2f8680fa01cbce731191789322419efb5954a +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-932h-jw47-73jm +--- + MagickCore/morphology.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/MagickCore/morphology.c b/MagickCore/morphology.c +index ce28c8c..a7bfc7a 100644 +--- a/MagickCore/morphology.c ++++ b/MagickCore/morphology.c +@@ -234,6 +234,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string) + GeometryInfo + args; + ++ size_t ++ length; ++ + kernel=(KernelInfo *) AcquireMagickMemory(sizeof(*kernel)); + if (kernel == (KernelInfo *) NULL) + return(kernel); +@@ -261,8 +264,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string) + if ( p != (char *) NULL && p < end) + { + /* ParseGeometry() needs the geometry separated! -- Arrgghh */ +- (void) memcpy(token, kernel_string, (size_t) (p-kernel_string)); +- token[p-kernel_string] = '\0'; ++ length=MagickMin((size_t) (p-kernel_string),sizeof(token)-1); ++ (void) memcpy(token, kernel_string, length); ++ token[length] = '\0'; + SetGeometryInfo(&args); + flags = ParseGeometry(token, &args); + +@@ -388,6 +392,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string, + MagickStatusType + flags; + ++ size_t ++ length; ++ + ssize_t + type; + +@@ -406,8 +413,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string, + end = strchr(p, '\0'); + + /* ParseGeometry() needs the geometry separated! -- Arrgghh */ +- (void) memcpy(token, p, (size_t) (end-p)); +- token[end-p] = '\0'; ++ length=MagickMin((size_t) (end-p),sizeof(token)-1); ++ (void) memcpy(token, p, length); ++ token[length] = '\0'; + SetGeometryInfo(&args); + flags = ParseGeometry(token, &args); + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28686.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28686.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28686.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28686.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Sun, 22 Feb 2026 19:01:13 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-467j-76j7-5885 + +A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation + +(cherry picked from commit d622bd6023310d57cec1e8f265095a1979210371) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-467j-76j7-5885 +origin: https://github.com/ImageMagick/ImageMagick/commit/d622bd6023310d57cec1e8f265095a1979210371 +--- + coders/pcl.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/coders/pcl.c b/coders/pcl.c +index 9eef4e7..15df851 100644 +--- a/coders/pcl.c ++++ b/coders/pcl.c +@@ -832,14 +832,14 @@ static MagickBooleanType WritePCLImage(const ImageInfo *image_info,Image *image, + } + case RLECompression: + { +- compress_pixels=(unsigned char *) AcquireQuantumMemory(length+256, +- sizeof(*compress_pixels)); ++ compress_pixels=(unsigned char *) AcquireQuantumMemory(length+ ++ (length/127)+256,sizeof(*compress_pixels)); + if (compress_pixels == (unsigned char *) NULL) + { + pixels=(unsigned char *) RelinquishMagickMemory(pixels); + ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); + } +- (void) memset(compress_pixels,0,(length+256)* ++ (void) memset(compress_pixels,0,(length+(length/127)+256)* + sizeof(*compress_pixels)); + (void) FormatLocaleString(buffer,MagickPathExtent,"\033*b2M"); + (void) WriteBlobString(image,buffer); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28687.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28687.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28687.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28687.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,40 @@ +From: Cristy +Date: Tue, 10 Feb 2026 19:37:58 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fpvf-frm6-625q + +(cherry picked from commit 3392b4bba6ce076f4d88f5653a42d97b7e4f6970) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fpvf-frm6-625q +origin: https://github.com/ImageMagick/ImageMagick/commit/3392b4bba6ce076f4d88f5653a42d97b7e4f6970 +--- + coders/msl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/coders/msl.c b/coders/msl.c +index bee781e..882ba38 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -273,7 +273,7 @@ static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image) + (msl_info->attributes[n] == (Image *) NULL)) + ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed") + if (msl_info->number_groups != 0) +- msl_info->group_info[msl_info->number_groups-1].numImages++; ++ msl_info->group_info[msl_info->number_groups].numImages++; + return(n); + } + +@@ -3062,6 +3062,13 @@ static void MSLStartElement(void *context,const xmlChar *tag, + msl_info->group_info=(MSLGroupInfo *) ResizeQuantumMemory( + msl_info->group_info,(size_t) (msl_info->number_groups+1), + sizeof(*msl_info->group_info)); ++ if (msl_info->group_info == (MSLGroupInfo *) NULL) ++ { ++ ThrowMSLException(ResourceLimitFatalError,"UnableToInterpretMSLImage", ++ keyword); ++ break; ++ } ++ msl_info->group_info[msl_info->number_groups].numImages=0; + break; + } + ThrowMSLException(OptionError,"UnrecognizedElement",(const char *) tag); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,123 @@ +From: Cristy +Date: Fri, 20 Feb 2026 19:54:17 -0500 +Subject: partial TOCTOU patch: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3 + +(cherry picked from commit 3eb11260cfe84fddbdcb8d2ed47f92703d1b2987) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3 +origin: https://github.com/ImageMagick/ImageMagick/commit/3eb11260cfe84fddbdcb8d2ed47f92703d1b2987 +--- + MagickCore/blob.c | 49 +++++++++++++++++++++++++++++++++++++++++++++--- + config/policy-secure.xml | 2 ++ + 2 files changed, 48 insertions(+), 3 deletions(-) + +diff --git a/MagickCore/blob.c b/MagickCore/blob.c +index 5ee81a6..fddebf4 100644 +--- a/MagickCore/blob.c ++++ b/MagickCore/blob.c +@@ -1464,19 +1464,36 @@ MagickExport void *FileToBlob(const char *filename,const size_t extent, + file=fileno(stdin); + if (LocaleCompare(filename,"-") != 0) + { ++ int ++ flags = O_RDONLY | O_BINARY; ++ + status=GetPathAttributes(filename,&attributes); + if ((status == MagickFalse) || (S_ISDIR(attributes.st_mode) != 0)) + { + ThrowFileException(exception,BlobError,"UnableToReadBlob",filename); + return(NULL); + } +- file=open_utf8(filename,O_RDONLY | O_BINARY,0); ++#if defined(O_NOFOLLOW) ++ status=IsRightsAuthorized(SystemPolicyDomain,ReadPolicyRights,"follow"); ++ if (status == MagickFalse) ++ flags|=O_NOFOLLOW; ++#endif ++ file=open_utf8(filename,flags,0); + } + if (file == -1) + { + ThrowFileException(exception,BlobError,"UnableToOpenFile",filename); + return(NULL); + } ++ status=IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,filename); ++ if (status == MagickFalse) ++ { ++ file=close_utf8(file)-1; ++ errno=EPERM; ++ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, ++ "NotAuthorized","`%s'",filename); ++ return(NULL); ++ } + offset=(MagickOffsetType) lseek(file,0,SEEK_END); + count=0; + if ((file == fileno(stdin)) || (offset < 0) || +@@ -1670,7 +1687,7 @@ MagickExport MagickBooleanType FileToImage(Image *image,const char *filename, + assert(filename != (const char *) NULL); + if (IsEventLogging() != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",filename); +- status=IsRightsAuthorized(PathPolicyDomain,WritePolicyRights,filename); ++ status=IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,filename); + if (status == MagickFalse) + { + errno=EPERM; +@@ -1680,12 +1697,31 @@ MagickExport MagickBooleanType FileToImage(Image *image,const char *filename, + } + file=fileno(stdin); + if (LocaleCompare(filename,"-") != 0) +- file=open_utf8(filename,O_RDONLY | O_BINARY,0); ++ { ++ int ++ flags = O_RDONLY | O_BINARY; ++ ++#if defined(O_NOFOLLOW) ++ status=IsRightsAuthorized(SystemPolicyDomain,ReadPolicyRights,"follow"); ++ if (status == MagickFalse) ++ flags|=O_NOFOLLOW; ++#endif ++ file=open_utf8(filename,flags,0); ++ } + if (file == -1) + { + ThrowFileException(exception,BlobError,"UnableToOpenBlob",filename); + return(MagickFalse); + } ++ status=IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,filename); ++ if (status == MagickFalse) ++ { ++ file=close_utf8(file); ++ errno=EPERM; ++ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, ++ "NotAuthorized","`%s'",filename); ++ return(MagickFalse); ++ } + quantum=(size_t) MagickMaxBufferExtent; + if ((fstat(file,&file_stats) == 0) && (file_stats.st_size > 0)) + quantum=(size_t) MagickMin(file_stats.st_size,MagickMaxBufferExtent); +@@ -3587,6 +3623,13 @@ MagickExport MagickBooleanType OpenBlob(const ImageInfo *image_info, + (void) SetStreamBuffering(image_info,blob_info); + } + } ++ if (IsRightsAuthorized(PathPolicyDomain,rights,filename) == MagickFalse) ++ { ++ errno=EPERM; ++ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, ++ "NotAuthorized","`%s'",filename); ++ return(MagickFalse); ++ } + blob_info->status=0; + blob_info->error_number=0; + if (blob_info->type != UndefinedStream) +diff --git a/config/policy-secure.xml b/config/policy-secure.xml +index 4239822..3954a18 100644 +--- a/config/policy-secure.xml ++++ b/config/policy-secure.xml +@@ -104,4 +104,6 @@ + + ++ ++ + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_2.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,154 @@ +From: Cristy +Date: Sun, 22 Feb 2026 19:00:06 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3 + +(cherry picked from commit 753ffb699934331b31028d4e271f2f6d6db85074) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3 +origin: https://github.com/ImageMagick/ImageMagick/commit/753ffb699934331b31028d4e271f2f6d6db85074 +--- + MagickCore/blob.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++------ + MagickCore/utility.c | 10 ++++++- + 2 files changed, 79 insertions(+), 10 deletions(-) + +diff --git a/MagickCore/blob.c b/MagickCore/blob.c +index fddebf4..ebf7e74 100644 +--- a/MagickCore/blob.c ++++ b/MagickCore/blob.c +@@ -3313,6 +3313,9 @@ MagickExport MagickBooleanType OpenBlob(const ImageInfo *image_info, + const char + *type; + ++ int ++ flags = O_RDONLY; ++ + MagickBooleanType + status; + +@@ -3345,13 +3348,48 @@ MagickExport MagickBooleanType OpenBlob(const ImageInfo *image_info, + blob_info->mode=mode; + switch (mode) + { +- default: type="r"; break; +- case ReadBlobMode: type="r"; break; +- case ReadBinaryBlobMode: type="rb"; break; +- case WriteBlobMode: type="w"; break; +- case WriteBinaryBlobMode: type="w+b"; break; +- case AppendBlobMode: type="a"; break; +- case AppendBinaryBlobMode: type="a+b"; break; ++ case ReadBlobMode: ++ { ++ flags=O_RDONLY; ++ type="r"; ++ break; ++ } ++ case ReadBinaryBlobMode: ++ { ++ flags=O_RDONLY | O_BINARY; ++ type="rb"; ++ break; ++ } ++ case WriteBlobMode: ++ { ++ flags=O_WRONLY | O_CREAT | O_TRUNC; ++ type="w"; ++ break; ++ } ++ case WriteBinaryBlobMode: ++ { ++ flags=O_RDWR | O_CREAT | O_TRUNC | O_BINARY; ++ type="w+b"; ++ break; ++ } ++ case AppendBlobMode: ++ { ++ flags=O_WRONLY | O_CREAT | O_APPEND; ++ type="a"; ++ break; ++ } ++ case AppendBinaryBlobMode: ++ { ++ flags=O_RDWR | O_CREAT | O_APPEND | O_BINARY; ++ type="a+b"; ++ break; ++ } ++ default: ++ { ++ flags=O_RDONLY; ++ type="r"; ++ break; ++ } + } + if (*type != 'r') + blob_info->synchronize=image_info->synchronize; +@@ -3496,7 +3534,18 @@ MagickExport MagickBooleanType OpenBlob(const ImageInfo *image_info, + else + if (*type == 'r') + { +- blob_info->file_info.file=(FILE *) fopen_utf8(filename,type); ++ int ++ file; ++ ++ blob_info->file_info.file=(FILE *) NULL; ++#if defined(O_NOFOLLOW) ++ status=IsRightsAuthorized(SystemPolicyDomain,ReadPolicyRights,"follow"); ++ if (status == MagickFalse) ++ flags|=O_NOFOLLOW; ++#endif ++ file=open_utf8(filename,flags,0); ++ if (file >= 0) ++ blob_info->file_info.file=fdopen(file,type); + if (blob_info->file_info.file != (FILE *) NULL) + { + size_t +@@ -3616,7 +3665,19 @@ MagickExport MagickBooleanType OpenBlob(const ImageInfo *image_info, + else + #endif + { +- blob_info->file_info.file=(FILE *) fopen_utf8(filename,type); ++ int ++ file; ++ ++ blob_info->file_info.file=(FILE *) NULL; ++#if defined(O_NOFOLLOW) ++ status=IsRightsAuthorized(SystemPolicyDomain,WritePolicyRights, ++ "follow"); ++ if (status == MagickFalse) ++ flags|=O_NOFOLLOW; ++#endif ++ file=open_utf8(filename,flags,0666); ++ if (file >= 0) ++ blob_info->file_info.file=fdopen(file,type); + if (blob_info->file_info.file != (FILE *) NULL) + { + blob_info->type=FileStream; +diff --git a/MagickCore/utility.c b/MagickCore/utility.c +index 4fd6e9c..41a0a8b 100644 +--- a/MagickCore/utility.c ++++ b/MagickCore/utility.c +@@ -180,8 +180,13 @@ MagickExport MagickBooleanType AcquireUniqueSymbolicLink(const char *source, + char + *passes; + ++ /* ++ Does policy permit symbolic links? ++ */ ++ status=IsRightsAuthorized(SystemPolicyDomain,ReadPolicyRights | ++ WritePolicyRights,"follow"); + passes=GetPolicyValue("system:shred"); +- if (passes != (char *) NULL) ++ if ((passes != (char *) NULL) || (status == MagickFalse)) + passes=DestroyString(passes); + else + { +@@ -209,6 +214,9 @@ MagickExport MagickBooleanType AcquireUniqueSymbolicLink(const char *source, + } + } + #endif ++ /* ++ Copy file from source to destination. ++ */ + destination_file=AcquireUniqueFileResource(destination); + if (destination_file == -1) + return(MagickFalse); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28689_pre1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,593 @@ +From: Dirk Lemstra +Date: Fri, 6 Jun 2025 10:30:39 +0200 +Subject: Introduce a utf8_close define so we can use _close on Windows. + +(cherry picked from commit 6d9f9f978ff53a75cff0555e8bae51edc4d87d1b) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3 +origin: https://github.com/ImageMagick/ImageMagick/commit/6d9f9f978ff53a75cff0555e8bae51edc4d87d1b +--- + MagickCore/blob.c | 24 ++++++++++++------------ + MagickCore/cache.c | 2 +- + MagickCore/delegate.c | 10 +++++----- + MagickCore/display.c | 2 +- + MagickCore/distribute-cache.c | 3 ++- + MagickCore/effect.c | 3 ++- + MagickCore/feature.c | 3 ++- + MagickCore/matrix.c | 3 ++- + MagickCore/memory.c | 2 +- + MagickCore/random.c | 4 ++-- + MagickCore/string.c | 8 ++++---- + MagickCore/utility-private.h | 6 ++++++ + MagickCore/utility.c | 14 +++++++------- + MagickCore/xml-tree.c | 8 ++++---- + coders/pdf.c | 5 +++-- + coders/ps.c | 3 ++- + coders/pwp.c | 3 ++- + coders/sfw.c | 2 +- + coders/video.c | 12 ++++++------ + 19 files changed, 65 insertions(+), 52 deletions(-) + +diff --git a/MagickCore/blob.c b/MagickCore/blob.c +index 5ee81a6..8dcf63f 100644 +--- a/MagickCore/blob.c ++++ b/MagickCore/blob.c +@@ -402,7 +402,7 @@ MagickExport MagickBooleanType BlobToFile(char *filename,const void *blob, + break; + } + } +- file=close(file); ++ file=close_utf8(file); + if ((file == -1) || (i < length)) + { + ThrowFileException(exception,BlobError,"UnableToWriteBlob",filename); +@@ -1516,7 +1516,7 @@ MagickExport void *FileToBlob(const char *filename,const size_t extent, + break; + } + if (LocaleCompare(filename,"-") != 0) +- file=close(file); ++ file=close_utf8(file); + if (blob == (unsigned char *) NULL) + { + (void) ThrowMagickException(exception,GetMagickModule(), +@@ -1541,7 +1541,7 @@ MagickExport void *FileToBlob(const char *filename,const size_t extent, + sizeof(*blob)); + if (blob == (unsigned char *) NULL) + { +- file=close(file); ++ file=close_utf8(file); + (void) ThrowMagickException(exception,GetMagickModule(), + ResourceLimitError,"MemoryAllocationFailed","`%s'",filename); + return(NULL); +@@ -1568,7 +1568,7 @@ MagickExport void *FileToBlob(const char *filename,const size_t extent, + } + if (i < *length) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + blob=(unsigned char *) RelinquishMagickMemory(blob); + ThrowFileException(exception,BlobError,"UnableToReadBlob",filename); + return(NULL); +@@ -1576,7 +1576,7 @@ MagickExport void *FileToBlob(const char *filename,const size_t extent, + } + blob[*length]='\0'; + if (LocaleCompare(filename,"-") != 0) +- file=close(file); ++ file=close_utf8(file); + if (file == -1) + { + blob=(unsigned char *) RelinquishMagickMemory(blob); +@@ -1692,7 +1692,7 @@ MagickExport MagickBooleanType FileToImage(Image *image,const char *filename, + blob=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*blob)); + if (blob == (unsigned char *) NULL) + { +- file=close(file); ++ file=close_utf8(file); + ThrowFileException(exception,ResourceLimitError,"MemoryAllocationFailed", + filename); + return(MagickFalse); +@@ -1714,7 +1714,7 @@ MagickExport MagickBooleanType FileToImage(Image *image,const char *filename, + break; + } + } +- file=close(file); ++ file=close_utf8(file); + if (file == -1) + ThrowFileException(exception,BlobError,"UnableToWriteBlob",filename); + blob=(unsigned char *) RelinquishMagickMemory(blob); +@@ -2381,7 +2381,7 @@ MagickExport MagickBooleanType ImageToFile(Image *image,char *filename, + buffer=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*buffer)); + if (buffer == (unsigned char *) NULL) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + (void) ThrowMagickException(exception,GetMagickModule(), + ResourceLimitError,"MemoryAllocationError","`%s'",filename); + return(MagickFalse); +@@ -2406,12 +2406,12 @@ MagickExport MagickBooleanType ImageToFile(Image *image,char *filename, + p=(const unsigned char *) ReadBlobStream(image,quantum,buffer,&count); + } + if (LocaleCompare(filename,"-") != 0) +- file=close(file); ++ file=close_utf8(file); + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + if ((file == -1) || (i < length)) + { + if (file != -1) +- file=close(file); ++ file=close_utf8(file); + ThrowFileException(exception,BlobError,"UnableToWriteBlob",filename); + return(MagickFalse); + } +@@ -2839,7 +2839,7 @@ MagickExport MagickBooleanType InjectImageBlob(const ImageInfo *image_info, + if (buffer == (unsigned char *) NULL) + { + (void) RelinquishUniqueFileResource(filename); +- file=close(file); ++ file=close_utf8(file); + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", + image->filename); + } +@@ -2855,7 +2855,7 @@ MagickExport MagickBooleanType InjectImageBlob(const ImageInfo *image_info, + status=WriteBlobStream(image,(size_t) count,buffer) == count ? MagickTrue : + MagickFalse; + } +- file=close(file); ++ file=close_utf8(file); + if (file == -1) + ThrowFileException(exception,FileOpenError,"UnableToWriteBlob",filename); + (void) RelinquishUniqueFileResource(filename); +diff --git a/MagickCore/cache.c b/MagickCore/cache.c +index 5a36189..af66224 100644 +--- a/MagickCore/cache.c ++++ b/MagickCore/cache.c +@@ -965,7 +965,7 @@ static MagickBooleanType ClosePixelCacheOnDisk(CacheInfo *cache_info) + status=(-1); + if (cache_info->file != -1) + { +- status=close(cache_info->file); ++ status=close_utf8(cache_info->file); + cache_info->file=(-1); + RelinquishMagickResource(FileResource,1); + } +diff --git a/MagickCore/delegate.c b/MagickCore/delegate.c +index d0ed400..a50b204 100644 +--- a/MagickCore/delegate.c ++++ b/MagickCore/delegate.c +@@ -1663,7 +1663,7 @@ static MagickBooleanType CopyDelegateFile(const char *source, + source_file=open_utf8(source,O_RDONLY | O_BINARY,0); + if (source_file == -1) + { +- (void) close(destination_file); ++ (void) close_utf8(destination_file); + return(MagickFalse); + } + quantum=(size_t) MagickMaxBufferExtent; +@@ -1672,8 +1672,8 @@ static MagickBooleanType CopyDelegateFile(const char *source, + buffer=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*buffer)); + if (buffer == (unsigned char *) NULL) + { +- (void) close(source_file); +- (void) close(destination_file); ++ (void) close_utf8(source_file); ++ (void) close_utf8(destination_file); + return(MagickFalse); + } + length=0; +@@ -1687,8 +1687,8 @@ static MagickBooleanType CopyDelegateFile(const char *source, + if ((size_t) count != length) + break; + } +- (void) close(destination_file); +- (void) close(source_file); ++ (void) close_utf8(destination_file); ++ (void) close_utf8(source_file); + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + return(i != 0 ? MagickTrue : MagickFalse); + } +diff --git a/MagickCore/display.c b/MagickCore/display.c +index 83463c9..ce1fea8 100644 +--- a/MagickCore/display.c ++++ b/MagickCore/display.c +@@ -8950,7 +8950,7 @@ static Image *XMagickCommand(Display *display,XResourceInfo *resource_info, + } + value=GetImageProperty(*image,"comment",exception); + if (value == (char *) NULL) +- unique_file=close(unique_file)-1; ++ unique_file=close_utf8(unique_file)-1; + else + { + const char +diff --git a/MagickCore/distribute-cache.c b/MagickCore/distribute-cache.c +index d19e967..9a17637 100644 +--- a/MagickCore/distribute-cache.c ++++ b/MagickCore/distribute-cache.c +@@ -72,6 +72,7 @@ + #include "MagickCore/splay-tree.h" + #include "MagickCore/string_.h" + #include "MagickCore/string-private.h" ++#include "MagickCore/utility-private.h" + #include "MagickCore/version.h" + #include "MagickCore/version-private.h" + #undef MAGICKCORE_HAVE_DISTRIBUTE_CACHE +@@ -81,7 +82,7 @@ + #include + #include + #include +-#define CLOSE_SOCKET(socket) (void) close(socket) ++#define CLOSE_SOCKET(socket) (void) close_utf8(socket) + #define HANDLER_RETURN_TYPE void * + #define HANDLER_RETURN_VALUE (void *) NULL + #define SOCKET_TYPE int +diff --git a/MagickCore/effect.c b/MagickCore/effect.c +index 8baf1c3..725fbf2 100644 +--- a/MagickCore/effect.c ++++ b/MagickCore/effect.c +@@ -90,6 +90,7 @@ + #include "MagickCore/thread-private.h" + #include "MagickCore/transform.h" + #include "MagickCore/threshold.h" ++#include "MagickCore/utility-private.h" + + /* + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +@@ -3015,7 +3016,7 @@ MagickExport Image *PreviewImage(const Image *image,const PreviewType preview, + preview_info->quality); + file=AcquireUniqueFileResource(filename); + if (file != -1) +- file=close(file)-1; ++ file=close_utf8(file)-1; + (void) FormatLocaleString(preview_image->filename,MagickPathExtent, + "jpeg:%s",filename); + status=WriteImage(preview_info,preview_image,exception); +diff --git a/MagickCore/feature.c b/MagickCore/feature.c +index c16db34..e36fd3b 100644 +--- a/MagickCore/feature.c ++++ b/MagickCore/feature.c +@@ -94,6 +94,7 @@ + #include "MagickCore/thread-private.h" + #include "MagickCore/timer.h" + #include "MagickCore/utility.h" ++#include "MagickCore/utility-private.h" + #include "MagickCore/version.h" + + /* +@@ -2075,7 +2076,7 @@ MagickExport Image *HoughLineImage(const Image *image,const size_t width, + } + } + } +- (void) close(file); ++ (void) close_utf8(file); + /* + Render lines to image canvas. + */ +diff --git a/MagickCore/matrix.c b/MagickCore/matrix.c +index 9c1ea9d..a825d17 100644 +--- a/MagickCore/matrix.c ++++ b/MagickCore/matrix.c +@@ -55,6 +55,7 @@ + #include "MagickCore/semaphore.h" + #include "MagickCore/thread-private.h" + #include "MagickCore/utility.h" ++#include "MagickCore/utility-private.h" + + /* + Typedef declaration. +@@ -396,7 +397,7 @@ MagickExport MatrixInfo *DestroyMatrixInfo(MatrixInfo *matrix_info) + case DiskCache: + { + if (matrix_info->file != -1) +- (void) close(matrix_info->file); ++ (void) close_utf8(matrix_info->file); + (void) RelinquishUniqueFileResource(matrix_info->path); + RelinquishMagickResource(DiskResource,matrix_info->length); + break; +diff --git a/MagickCore/memory.c b/MagickCore/memory.c +index 434ea23..979d8b4 100644 +--- a/MagickCore/memory.c ++++ b/MagickCore/memory.c +@@ -791,7 +791,7 @@ MagickExport MemoryInfo *AcquireVirtualMemory(const size_t count, + *memory_info->filename='\0'; + } + } +- (void) close(file); ++ (void) close_utf8(file); + } + } + } +diff --git a/MagickCore/random.c b/MagickCore/random.c +index 5553274..8523da9 100644 +--- a/MagickCore/random.c ++++ b/MagickCore/random.c +@@ -539,7 +539,7 @@ static StringInfo *GenerateEntropicChaos(RandomInfo *random_info) + { + SetStringInfoLength(chaos,MaxEntropyExtent); + count=ReadRandom(file,GetStringInfoDatum(chaos),MaxEntropyExtent); +- (void) close(file); ++ (void) close_utf8(file); + SetStringInfoLength(chaos,(size_t) count); + ConcatenateStringInfo(entropy,chaos); + } +@@ -564,7 +564,7 @@ static StringInfo *GenerateEntropicChaos(RandomInfo *random_info) + { + SetStringInfoLength(chaos,MaxEntropyExtent); + count=ReadRandom(file,GetStringInfoDatum(chaos),MaxEntropyExtent); +- (void) close(file); ++ (void) close_utf8(file); + SetStringInfoLength(chaos,(size_t) count); + ConcatenateStringInfo(entropy,chaos); + } +diff --git a/MagickCore/string.c b/MagickCore/string.c +index f2d23c8..38896b1 100644 +--- a/MagickCore/string.c ++++ b/MagickCore/string.c +@@ -595,7 +595,7 @@ MagickExport StringInfo *ConfigureFileToStringInfo(const char *filename) + offset=(MagickOffsetType) lseek(file,0,SEEK_END); + if ((offset < 0) || (offset != (MagickOffsetType) ((ssize_t) offset))) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + return((StringInfo *) NULL); + } + length=(size_t) offset; +@@ -605,7 +605,7 @@ MagickExport StringInfo *ConfigureFileToStringInfo(const char *filename) + sizeof(*string)); + if (string == (char *) NULL) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + return((StringInfo *) NULL); + } + map=MapBlob(file,ReadMode,0,length); +@@ -636,13 +636,13 @@ MagickExport StringInfo *ConfigureFileToStringInfo(const char *filename) + } + if (i < length) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + string=DestroyString(string); + return((StringInfo *) NULL); + } + } + string[length]='\0'; +- file=close(file)-1; ++ file=close_utf8(file)-1; + string_info=AcquireStringInfoContainer(); + string_info->path=ConstantString(filename); + string_info->length=length; +diff --git a/MagickCore/utility-private.h b/MagickCore/utility-private.h +index c28d4c5..e67295e 100644 +--- a/MagickCore/utility-private.h ++++ b/MagickCore/utility-private.h +@@ -147,6 +147,12 @@ static inline int access_utf8(const char *path,int mode) + #endif + } + ++#if defined(MAGICKCORE_WINDOWS_SUPPORT) && !defined(__CYGWIN__) && !defined(__MINGW32__) ++#define close_utf8 _close ++#else ++#define close_utf8 close ++#endif ++ + static inline FILE *fopen_utf8(const char *path,const char *mode) + { + #if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) +diff --git a/MagickCore/utility.c b/MagickCore/utility.c +index 4fd6e9c..b135bd8 100644 +--- a/MagickCore/utility.c ++++ b/MagickCore/utility.c +@@ -116,7 +116,7 @@ MagickExport MagickBooleanType AcquireUniqueFilename(char *path) + file=AcquireUniqueFileResource(path); + if (file == -1) + return(MagickFalse); +- file=close(file)-1; ++ file=close_utf8(file)-1; + return(MagickTrue); + } + +@@ -215,7 +215,7 @@ MagickExport MagickBooleanType AcquireUniqueSymbolicLink(const char *source, + source_file=open_utf8(source,O_RDONLY | O_BINARY,0); + if (source_file == -1) + { +- (void) close(destination_file); ++ (void) close_utf8(destination_file); + (void) RelinquishUniqueFileResource(destination); + return(MagickFalse); + } +@@ -225,8 +225,8 @@ MagickExport MagickBooleanType AcquireUniqueSymbolicLink(const char *source, + buffer=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*buffer)); + if (buffer == (unsigned char *) NULL) + { +- (void) close(source_file); +- (void) close(destination_file); ++ (void) close_utf8(source_file); ++ (void) close_utf8(destination_file); + (void) RelinquishUniqueFileResource(destination); + return(MagickFalse); + } +@@ -245,8 +245,8 @@ MagickExport MagickBooleanType AcquireUniqueSymbolicLink(const char *source, + break; + } + } +- (void) close(destination_file); +- (void) close(source_file); ++ (void) close_utf8(destination_file); ++ (void) close_utf8(source_file); + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + return(status); + } +@@ -1949,6 +1949,6 @@ MagickPrivate MagickBooleanType ShredFile(const char *path) + } + key=DestroyStringInfo(key); + random_info=DestroyRandomInfo(random_info); +- status=close(file); ++ status=close_utf8(file); + return((status == -1 || i < passes) ? MagickFalse : MagickTrue); + } +diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c +index 98b9fb2..0cdaf6a 100644 +--- a/MagickCore/xml-tree.c ++++ b/MagickCore/xml-tree.c +@@ -583,7 +583,7 @@ MagickPrivate char *FileToXML(const char *filename,const size_t extent) + break; + } + if (LocaleCompare(filename,"-") != 0) +- file=close(file); ++ file=close_utf8(file); + if (xml == (char *) NULL) + return((char *) NULL); + if (file == -1) +@@ -601,7 +601,7 @@ MagickPrivate char *FileToXML(const char *filename,const size_t extent) + xml=(char *) AcquireQuantumMemory(length+MagickPathExtent,sizeof(*xml)); + if (xml == (char *) NULL) + { +- file=close(file); ++ file=close_utf8(file); + return((char *) NULL); + } + map=MapBlob(file,ReadMode,0,length); +@@ -626,14 +626,14 @@ MagickPrivate char *FileToXML(const char *filename,const size_t extent) + } + if (i < length) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + xml=(char *) RelinquishMagickMemory(xml); + return((char *) NULL); + } + } + xml[length]='\0'; + if (LocaleCompare(filename,"-") != 0) +- file=close(file); ++ file=close_utf8(file); + if (file == -1) + xml=(char *) RelinquishMagickMemory(xml); + return(xml); +diff --git a/coders/pdf.c b/coders/pdf.c +index 2079252..fc3392c 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -84,6 +84,7 @@ + #include "MagickCore/token.h" + #include "MagickCore/transform.h" + #include "MagickCore/utility.h" ++#include "MagickCore/utility-private.h" + #include "MagickCore/xml-tree-private.h" + #include "coders/bytebuffer-private.h" + #include "coders/coders-private.h" +@@ -562,14 +563,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + if (write(file," ",1) != 1) + { +- file=close(file)-1; ++ file=close_utf8(file)-1; + (void) RelinquishUniqueFileResource(input_filename); + (void) RelinquishUniqueFileResource(postscript_filename); + CleanupPDFInfo(&pdf_info); + image=DestroyImage(image); + return((Image *) NULL); + } +- file=close(file)-1; ++ file=close_utf8(file)-1; + /* + Render Postscript with the Ghostscript delegate. + */ +diff --git a/coders/ps.c b/coders/ps.c +index 3999cf9..0ec61d7 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -78,6 +78,7 @@ + #include "MagickCore/token.h" + #include "MagickCore/transform.h" + #include "MagickCore/utility.h" ++#include "MagickCore/utility-private.h" + #include "coders/bytebuffer-private.h" + #include "coders/coders-private.h" + #include "coders/ghostscript-private.h" +@@ -757,7 +758,7 @@ static Image *ReadPSImage(const ImageInfo *image_info,ExceptionInfo *exception) + strlen(translate_geometry)); + } + (void) count; +- file=close(file)-1; ++ file=close_utf8(file)-1; + /* + Render Postscript with the Ghostscript delegate. + */ +diff --git a/coders/pwp.c b/coders/pwp.c +index c358704..00bd812 100644 +--- a/coders/pwp.c ++++ b/coders/pwp.c +@@ -56,6 +56,7 @@ + #include "MagickCore/quantum-private.h" + #include "MagickCore/static.h" + #include "MagickCore/string_.h" ++#include "MagickCore/utility-private.h" + #include "MagickCore/module.h" + + /* +@@ -269,7 +270,7 @@ static Image *ReadPWPImage(const ImageInfo *image_info,ExceptionInfo *exception) + break; + } + if (unique_file != -1) +- (void) close(unique_file); ++ (void) close_utf8(unique_file); + (void) RelinquishUniqueFileResource(filename); + read_info=DestroyImageInfo(read_info); + if (image != (Image *) NULL) +diff --git a/coders/sfw.c b/coders/sfw.c +index 46c67b4..8117399 100644 +--- a/coders/sfw.c ++++ b/coders/sfw.c +@@ -331,7 +331,7 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception) + extent=fwrite(offset+1,1,(size_t) (data-offset),file); + status=ferror(file) != 0 ? MagickFalse : MagickTrue; + (void) fclose(file); +- (void) close(unique_file); ++ (void) close_utf8(unique_file); + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + if (status == MagickFalse) + { +diff --git a/coders/video.c b/coders/video.c +index 28a56d8..be0c49e 100644 +--- a/coders/video.c ++++ b/coders/video.c +@@ -509,7 +509,7 @@ static MagickBooleanType CopyDelegateFile(const char *source, + source_file=open_utf8(source,O_RDONLY | O_BINARY,0); + if (source_file == -1) + { +- (void) close(destination_file); ++ (void) close_utf8(destination_file); + return(MagickFalse); + } + quantum=(size_t) MagickMaxBufferExtent; +@@ -519,8 +519,8 @@ static MagickBooleanType CopyDelegateFile(const char *source, + buffer=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*buffer)); + if (buffer == (unsigned char *) NULL) + { +- (void) close(source_file); +- (void) close(destination_file); ++ (void) close_utf8(source_file); ++ (void) close_utf8(destination_file); + return(MagickFalse); + } + length=0; +@@ -535,8 +535,8 @@ static MagickBooleanType CopyDelegateFile(const char *source, + break; + } + if (strcmp(destination,"-") != 0) +- (void) close(destination_file); +- (void) close(source_file); ++ (void) close_utf8(destination_file); ++ (void) close_utf8(source_file); + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + return(i != 0 ? MagickTrue : MagickFalse); + } +@@ -600,7 +600,7 @@ static MagickBooleanType WriteVIDEOImage(const ImageInfo *image_info, + return(MagickFalse); + file=AcquireUniqueFileResource(basename); + if (file != -1) +- file=close(file)-1; ++ file=close_utf8(file)-1; + (void) FormatLocaleString(clone_images->filename,MagickPathExtent,"%s", + basename); + count=0; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28690.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28690.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28690.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28690.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,60 @@ +From: Cristy +Date: Sun, 22 Feb 2026 19:00:46 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf + +a stack buffer overflow vulnerability exists in the MNG encoder. + +(cherry picked from commit e6e874875e48dd9838acca3bd22c14a4d2f1b3ca) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf +origin: https://github.com/ImageMagick/ImageMagick/commit/e6e874875e48dd9838acca3bd22c14a4d2f1b3ca +--- + coders/png.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/coders/png.c b/coders/png.c +index 46a6720..bd8ed90 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -12340,6 +12340,13 @@ static MagickBooleanType WriteOneJNGImage(MngWriteInfo *mng_info, + blob=(unsigned char *) ImageToBlob(jpeg_image_info,jpeg_image, + &length,exception); + ++ if (blob == (unsigned char *) NULL) ++ { ++ jpeg_image=DestroyImage(jpeg_image); ++ jpeg_image_info=DestroyImageInfo(jpeg_image_info); ++ return(MagickFalse); ++ } ++ + /* Retrieve sample depth used */ + value=GetImageProperty(jpeg_image,"png:bit-depth-written",exception); + if (value != (char *) NULL) +@@ -12709,6 +12716,15 @@ static MagickBooleanType WriteOneJNGImage(MngWriteInfo *mng_info, + blob=(unsigned char *) ImageToBlob(jpeg_image_info,jpeg_image,&length, + exception); + ++ if (blob == (unsigned char *) NULL) ++ { ++ if (jpeg_image != (Image *)NULL) ++ jpeg_image=DestroyImage(jpeg_image); ++ if (jpeg_image_info != (ImageInfo *)NULL) ++ jpeg_image_info=DestroyImageInfo(jpeg_image_info); ++ return(MagickFalse); ++ } ++ + if (logging != MagickFalse) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -12884,7 +12900,9 @@ static MagickBooleanType WriteMNGImage(const ImageInfo *image_info,Image *image, + mng_info->image=image; + write_mng=LocaleCompare(image_info->magick,"MNG") == 0 ? + MagickTrue : MagickFalse; +- ++ if ((write_mng != MagickFalse) && (image->storage_class == PseudoClass) && ++ (image->colors > 256)) ++ (void) SetImageStorageClass(image,DirectClass,exception); + /* + * See if user has requested a specific PNG subformat to be used + * for all of the PNGs in the MNG being written, e.g., diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28691.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28691.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28691.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28691.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,33 @@ +From: Cristy +Date: Sun, 22 Feb 2026 19:02:12 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wj8w-pjxf-9g4f + +an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. + +(cherry picked from commit 87f619bcd066a3c8e8fae4addb99f15d496ae881) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wj8w-pjxf-9g4f +origin: https://github.com/ImageMagick/ImageMagick/commit/87f619bcd066a3c8e8fae4addb99f15d496ae881 +--- + coders/jbig.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/coders/jbig.c b/coders/jbig.c +index fca44c6..fa367e8 100644 +--- a/coders/jbig.c ++++ b/coders/jbig.c +@@ -197,6 +197,13 @@ static Image *ReadJBIGImage(const ImageInfo *image_info, + length-=(ssize_t) count; + } + } while ((status == JBG_EAGAIN) || (status == JBG_EOK)); ++ if (status != JBG_EOK) ++ { ++ jbg_dec_free(&jbig_info); ++ buffer=(unsigned char *) RelinquishMagickMemory(buffer); ++ ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ } ++ + /* + Create colormap. + */ diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28692.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28692.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28692.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28692.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,60 @@ +From: Cristy +Date: Sun, 22 Feb 2026 19:02:38 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mrmj-x24c-wwcv + +MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read. + +(cherry picked from commit cb6cc0611baa4dac59add6439fa1d8af33fc5927) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mrmj-x24c-wwcv +origin: https://github.com/ImageMagick/ImageMagick/commit/cb6cc0611baa4dac59add6439fa1d8af33fc5927 +--- + coders/mat.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/coders/mat.c b/coders/mat.c +index 750d8bc..34e8176 100644 +--- a/coders/mat.c ++++ b/coders/mat.c +@@ -1153,19 +1153,19 @@ MATLAB_KO: + case miUINT16: + sample_size = 16; + image->depth = 16; /* Word type cell */ +- ldblk = (ssize_t) (2 * MATLAB_HDR.SizeX); ++ ldblk = (2 * (ssize_t) MATLAB_HDR.SizeX); + break; + case miINT32: + case miUINT32: + sample_size = 32; + image->depth = 32; /* Dword type cell */ +- ldblk = (ssize_t) (4 * MATLAB_HDR.SizeX); ++ ldblk = (4 * (ssize_t) MATLAB_HDR.SizeX); + break; + case miINT64: + case miUINT64: + sample_size = 64; + image->depth = 64; /* Qword type cell */ +- ldblk = (ssize_t) (8 * MATLAB_HDR.SizeX); ++ ldblk = (8 * (ssize_t) MATLAB_HDR.SizeX); + break; + case miSINGLE: + sample_size = 32; +@@ -1174,7 +1174,7 @@ MATLAB_KO: + if (MATLAB_HDR.StructureFlag & FLAG_COMPLEX) + { /* complex float type cell */ + } +- ldblk = (ssize_t) (4 * MATLAB_HDR.SizeX); ++ ldblk = (4 * (ssize_t) MATLAB_HDR.SizeX); + break; + case miDOUBLE: + sample_size = 64; +@@ -1193,7 +1193,7 @@ RestoreMSCWarning + if (MATLAB_HDR.StructureFlag & FLAG_COMPLEX) + { /* complex double type cell */ + } +- ldblk = (ssize_t) (8 * MATLAB_HDR.SizeX); ++ ldblk = (8 * (ssize_t) MATLAB_HDR.SizeX); + break; + default: + if ((image != image2) && (image2 != (Image *) NULL)) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,100 @@ +From: Jake Lodwick +Date: Sat, 28 Feb 2026 08:39:45 -0700 +Subject: Add overflow checks to BMP/DIB write paths and DIB read path (#8573) + +(cherry picked from commit 33375f93a866830bbaf72f86314fbc3014b9e4c4) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hffp-q43q-qq76 +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/33375f93a866830bbaf72f86314fbc3014b9e4c4 +--- + coders/bmp.c | 3 +++ + coders/dib.c | 28 +++++++++++++++++++++------- + 2 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index 717ace6..28c7f94 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -2040,6 +2040,9 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image, + } + } + } ++ if (BMPOverflowCheck(image->columns,(size_t) bmp_info.bits_per_pixel) != ++ MagickFalse) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); + extent=image->columns*(size_t) bmp_info.bits_per_pixel; + bytes_per_line=4*((extent+31)/32); + if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) +diff --git a/coders/dib.c b/coders/dib.c +index fea69d8..c9a80c1 100644 +--- a/coders/dib.c ++++ b/coders/dib.c +@@ -490,6 +490,7 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception) + + size_t + bytes_per_line, ++ extent, + length; + + ssize_t +@@ -668,9 +669,14 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception) + */ + if (dib_info.compression == DibRle4Compression) + dib_info.bits_per_pixel<<=1; +- bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32); +- length=bytes_per_line*image->rows; +- if ((MagickSizeType) length > (256*GetBlobSize(image))) ++ if (HeapOverflowSanityCheckGetSize(image->columns, ++ (size_t) dib_info.bits_per_pixel,&extent) != MagickFalse) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ bytes_per_line=4*((extent+31)/32); ++ if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows, ++ &length) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ if ((MagickSizeType) (length/256) > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, + image->columns+256UL)*sizeof(*pixels)); +@@ -1114,7 +1120,9 @@ static MagickBooleanType WriteDIBImage(const ImageInfo *image_info,Image *image, + *q; + + size_t +- bytes_per_line; ++ bytes_per_line, ++ extent, ++ length; + + ssize_t + y; +@@ -1166,14 +1174,20 @@ static MagickBooleanType WriteDIBImage(const ImageInfo *image_info,Image *image, + dib_info.number_colors=(unsigned int) (dib_info.bits_per_pixel == 16 ? 0 : + (1UL << dib_info.bits_per_pixel)); + } +- bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32); ++ if (HeapOverflowSanityCheckGetSize(image->columns, ++ (size_t) dib_info.bits_per_pixel,&extent) != MagickFalse) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); ++ bytes_per_line=4*((extent+31)/32); ++ if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows, ++ &length) != MagickFalse) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); + dib_info.size=40; + dib_info.width=(int) image->columns; + dib_info.height=(int) image->rows; + dib_info.planes=1; + dib_info.compression=(unsigned int) (dib_info.bits_per_pixel == 16 ? + DibBitfieldsCompression : DibRgbCompression); +- dib_info.image_size=(unsigned int) (bytes_per_line*image->rows); ++ dib_info.image_size=(unsigned int) length; + dib_info.x_pixels=75*39; + dib_info.y_pixels=75*39; + switch (image->units) +@@ -1200,7 +1214,7 @@ static MagickBooleanType WriteDIBImage(const ImageInfo *image_info,Image *image, + bytes_per_line,image->columns+256UL)*sizeof(*pixels)); + if (pixels == (unsigned char *) NULL) + ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); +- (void) memset(pixels,0,dib_info.image_size); ++ (void) memset(pixels,0,length); + switch (dib_info.bits_per_pixel) + { + case 1: diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_2.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Sun, 1 Mar 2026 17:32:44 +0100 +Subject: Added extra check. + +(cherry picked from commit 50a0c0d7ebbac39d9eef9d1ef13262861945451c) + +bug; https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hffp-q43q-qq76 +origin: https://github.com/ImageMagick/ImageMagick/commit/50a0c0d7ebbac39d9eef9d1ef13262861945451c +--- + coders/dib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/dib.c b/coders/dib.c +index c9a80c1..482f0aa 100644 +--- a/coders/dib.c ++++ b/coders/dib.c +@@ -672,7 +672,8 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (HeapOverflowSanityCheckGetSize(image->columns, + (size_t) dib_info.bits_per_pixel,&extent) != MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +- bytes_per_line=4*((extent+31)/32); ++ if (HeapOverflowSanityCheckGetSize(4,((extent+31)/32),&bytes_per_line) != MagickFalse) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows, + &length) != MagickFalse) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-28693_pre1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,49 @@ +From: Cristy +Date: Sat, 23 Aug 2025 11:10:33 -0400 +Subject: https://gist.github.com/mescuwa/9197f4317a69559cdf87d0bfab6fa473 + +(cherry picked from commit 8f0a198216a701779b7b8784512b0f90613a801f) + +origin: https://github.com/ImageMagick/ImageMagick/commit/8f0a198216a701779b7b8784512b0f90613a801f +--- + coders/bmp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index 6f1b77d..717ace6 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -1869,6 +1869,7 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image, + + size_t + bytes_per_line, ++ extent, + number_scenes, + type; + +@@ -2039,7 +2040,10 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image, + } + } + } +- bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); ++ extent=image->columns*(size_t) bmp_info.bits_per_pixel; ++ bytes_per_line=4*((extent+31)/32); ++ if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); + bmp_info.ba_offset=0; + if (type > 3) + profile=GetImageProfile(image,"icc"); +@@ -2101,8 +2105,11 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image, + /* + Convert MIFF to BMP raster pixels. + */ +- pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, +- image->columns+256UL)*sizeof(*pixels)); ++ extent=GetImageChannels(image)*MagickMax(bytes_per_line,image->columns+1UL); ++ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) || ++ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse)) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); ++ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); + pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30883.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30883.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30883.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30883.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dirk Lemstra +Date: Fri, 6 Mar 2026 13:15:04 +0100 +Subject: Added extra check to prevent overflow that could result in a heap + over-write (GHSA-qmw5-2p58-xvrc) + +(cherry picked from commit 5897fb65d173a57729026321d5067c9ddca5c56f) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qmw5-2p58-xvrc +origin: https://github.com/ImageMagick/ImageMagick/commit/5897fb65d173a57729026321d5067c9ddca5c56f +--- + coders/png.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index bd8ed90..f6b5909 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -7655,11 +7655,10 @@ ModuleExport void UnregisterPNGImage(void) + % transparent region at the top and/or left. + */ + +-static void +-Magick_png_write_raw_profile(const ImageInfo *image_info,png_struct *ping, +- png_info *ping_info, unsigned char *profile_type, unsigned char +- *profile_description, unsigned char *profile_data, png_uint_32 length, +- ExceptionInfo *exception) ++static void Magick_png_write_raw_profile(const ImageInfo *image_info, ++ png_struct *ping,png_info *ping_info,unsigned char *profile_type, ++ unsigned char *profile_description,unsigned char *profile_data, ++ png_uint_32 length,ExceptionInfo *exception) + { + png_charp + dp; +@@ -7692,7 +7691,7 @@ Magick_png_write_raw_profile(const ImageInfo *image_info,png_struct *ping, + description_length=(png_uint_32) strlen((const char *) profile_description); + allocated_length=(png_uint_32) (2*length+(length >> 5)+description_length+ + 20); +- if (allocated_length < length) ++ if ((allocated_length < length) || (length >= (PNG_UINT_31_MAX / 2))) + { + (void) ThrowMagickException(exception,GetMagickModule(),CoderError, + "maximum profile length exceeded","`%s'",image_info->filename); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30929.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30929.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30929.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30929.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Tue, 3 Mar 2026 19:22:58 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rqq8-jh93-f4vg + +MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack + +(cherry picked from commit adf831c442b7dc37da04d73331aba26e388eeb9a) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rqq8-jh93-f4vg +origin: https://github.com/ImageMagick/ImageMagick/commit/adf831c442b7dc37da04d73331aba26e388eeb9a +--- + MagickCore/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/resize.c b/MagickCore/resize.c +index 1def5e6..99857c6 100644 +--- a/MagickCore/resize.c ++++ b/MagickCore/resize.c +@@ -3058,7 +3058,7 @@ MagickExport Image *MagnifyImage(const Image *image,ExceptionInfo *exception) + for (y=0; y < (ssize_t) source_image->rows; y++) + { + Quantum +- r[128]; /* to hold result pixels */ ++ r[magnification*magnification*MaxPixelChannels]; /* result pixels */ + + Quantum + *magick_restrict q; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,68 @@ +From: Cristy +Date: Wed, 4 Mar 2026 22:07:04 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h95r-c8c7-mrwx + +a heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write + +(cherry picked from commit 7fe4dbabe5d50057513d5d16eb9cbfa0734b4848) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h95r-c8c7-mrwx +origin: https://github.com/ImageMagick/ImageMagick/commit/7fe4dbabe5d50057513d5d16eb9cbfa0734b4848 +--- + coders/uhdr.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/coders/uhdr.c b/coders/uhdr.c +index c5611fb..2cc3966 100644 +--- a/coders/uhdr.c ++++ b/coders/uhdr.c +@@ -625,7 +625,8 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + aligned_width; + + size_t +- picSize; ++ picSize, ++ sans; + + void + *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL; +@@ -676,30 +677,33 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + "ImproperImageHeader","%s",image->filename); + goto next_image; + } +- if ((bpp < 4) && (HeapOverflowSanityCheckGetSize(picSize,1.5,&picSize) != MagickFalse)) ++ if ((bpp < 4) && (HeapOverflowSanityCheckGetSize(picSize,3,&sans) != MagickFalse)) + { + (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError, + "ImproperImageHeader","%s",image->filename); + goto next_image; + } ++ picSize=3*picsize/2; + +- if (image->depth < hdrIntentMinDepth && image->depth != 8) ++ if ((image->depth < hdrIntentMinDepth) && (image->depth != 8)) + { + (void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning, + "Received image with unexpected bit depth","%s","ignoring ..."); + goto next_image; + } + +- if (image->depth >= hdrIntentMinDepth && hdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL) ++ if ((image->depth >= hdrIntentMinDepth) && ++ (hdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL)) + { + (void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning, + "Received multiple hdr intent resources, ","%s","overwriting ..."); + RelinquishMagickMemory(hdrImgDescriptor.planes[UHDR_PLANE_Y]); + hdrImgDescriptor.planes[UHDR_PLANE_Y] = NULL; + } +- else if (image->depth == 8 && sdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL) ++ else if ((image->depth == 8) && ++ (sdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL)) + { +- (void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning, ++ (void) ThrowMagickException(exception,GetMagickModule(),ConfigureWarning, + "Received multiple sdr intent resources, ","%s","overwriting ..."); + RelinquishMagickMemory(sdrImgDescriptor.planes[UHDR_PLANE_Y]); + sdrImgDescriptor.planes[UHDR_PLANE_Y] = NULL; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30931_pre1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,71 @@ +From: Dirk Lemstra +Date: Sun, 8 Feb 2026 14:29:44 +0100 +Subject: Corrected previous patch and added more overflow checks. + +(cherry picked from commit 31f10b1de591ee71179542a6d06e6885cbafdf71) + +origin: https://github.com/ImageMagick/ImageMagick/commit/31f10b1de591ee71179542a6d06e6885cbafdf71 +--- + coders/uhdr.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/coders/uhdr.c b/coders/uhdr.c +index a527465..c5611fb 100644 +--- a/coders/uhdr.c ++++ b/coders/uhdr.c +@@ -636,17 +636,14 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + (void) ThrowMagickException(exception,GetMagickModule(),ImageError, + "WidthOrHeightExceedsLimit","%s",image->filename); + goto next_image; +- } ++ } + bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; +- aligned_width = image->columns + (image->columns & 1); +- picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; + if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace)) + { + if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR) + bpp = 8; /* rgbahalf float */ + else + bpp = 4; /* rgba1010102 or rgba8888 */ +- picSize = aligned_width * aligned_height * bpp; + } + else if (IsYCbCrCompatibleColorspace(image->colorspace)) + { +@@ -665,6 +662,27 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + goto next_image; + } + ++ aligned_width = image->columns + (image->columns & 1); ++ aligned_height = image->rows + (image->rows & 1); ++ if (HeapOverflowSanityCheckGetSize(aligned_width,aligned_height,&picSize) != MagickFalse) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError, ++ "ImproperImageHeader","%s",image->filename); ++ goto next_image; ++ } ++ if (HeapOverflowSanityCheckGetSize(picSize,bpp,&picSize) != MagickFalse) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError, ++ "ImproperImageHeader","%s",image->filename); ++ goto next_image; ++ } ++ if ((bpp < 4) && (HeapOverflowSanityCheckGetSize(picSize,1.5,&picSize) != MagickFalse)) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError, ++ "ImproperImageHeader","%s",image->filename); ++ goto next_image; ++ } ++ + if (image->depth < hdrIntentMinDepth && image->depth != 8) + { + (void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning, +@@ -828,7 +846,7 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + b = ScaleQuantumToShort(GetPixelBlue(image, p)) & 0xFFC0; + + rgbBase[y * hdrImgDescriptor.stride[UHDR_PLANE_PACKED] + x] = +- (0x3 << 30) | (b << 14) | (g << 4) | (r >> 6); ++ (0x3U << 30) | (b << 14) | (g << 4) | (r >> 6); + } + } + else if (image->depth == 8) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30935.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30935.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30935.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30935.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,59 @@ +From: ylwango613 <128395302+ylwango613@users.noreply.github.com> +Date: Tue, 3 Mar 2026 02:41:06 +0800 +Subject: fix heap over-read in BilateralBlurImage with even-dimension kernels + (#8595) + +The mirrored pixel mapping (mid.x-u, mid.y-v) accesses buffer position +(2*mid - u). For even width 2k, mid=k, so u=0 accesses column 2k=width +which is one past the buffer end. Reverse the mapping to (u-mid.x, +v-mid.y) and use signed arithmetic at all three call sites. + +(cherry picked from commit ed448e879285db99d2c1207393822713acb510f2) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cqw9-w2m7-r2m2 +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/ed448e879285db99d2c1207393822713acb510f2 +--- + MagickCore/effect.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/MagickCore/effect.c b/MagickCore/effect.c +index 725fbf2..1264fda 100644 +--- a/MagickCore/effect.c ++++ b/MagickCore/effect.c +@@ -1039,10 +1039,10 @@ MagickExport Image *BilateralBlurImage(const Image *image,const size_t width, + double + intensity; + +- r=p+(ssize_t) (GetPixelChannels(image)*MagickMax(width,1)* +- (size_t) (mid.y-v)+GetPixelChannels(image)*(size_t) (mid.x-u)); +- intensity=ScaleQuantumToChar(GetPixelIntensity(image,r))- +- (double) ScaleQuantumToChar(GetPixelIntensity(image,p)); ++ r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)* ++ (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x); ++ intensity=ScaleQuantumToChar((const Quantum) GetPixelIntensity(image,r))- ++ (double) ScaleQuantumToChar((const Quantum) GetPixelIntensity(image,p)); + if ((intensity >= -MaxIntensity) && (intensity <= MaxIntensity)) + weights[id][n]=intensity_gaussian[(ssize_t) intensity+MaxIntensity]* + spatial_gaussian[n]; +@@ -1084,8 +1084,8 @@ MagickExport Image *BilateralBlurImage(const Image *image,const size_t width, + { + for (u=0; u < (ssize_t) MagickMax(width,1); u++) + { +- r=p+GetPixelChannels(image)*MagickMax(width,1)*(size_t) +- (mid.y-v)+GetPixelChannels(image)*(size_t) (mid.x-u); ++ r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)* ++ (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x); + pixel+=weights[id][n]*(double) r[i]; + gamma+=weights[id][n]; + n++; +@@ -1106,8 +1106,8 @@ MagickExport Image *BilateralBlurImage(const Image *image,const size_t width, + alpha, + beta; + +- r=p+GetPixelChannels(image)*MagickMax(width,1)*(size_t) (mid.y-v)+ +- GetPixelChannels(image)*(size_t) (mid.x-u); ++ r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)* ++ (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x); + alpha=(double) (QuantumScale*(double) GetPixelAlpha(image,p)); + beta=(double) (QuantumScale*(double) GetPixelAlpha(image,r)); + pixel+=weights[id][n]*(double) r[i]; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30936.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30936.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30936.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30936.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,48 @@ +From: Cristy +Date: Tue, 3 Mar 2026 19:45:11 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5ggv-92r5-cp4p + +a crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method + +(cherry picked from commit ffbbd7201e0ba08707849c0053aa703e076bf86e) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5ggv-92r5-cp4p +origin: https://github.com/ImageMagick/ImageMagick/commit/ffbbd7201e0ba08707849c0053aa703e076bf86e +--- + MagickCore/visual-effects.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/MagickCore/visual-effects.c b/MagickCore/visual-effects.c +index 0a685cc..1d30b4a 100644 +--- a/MagickCore/visual-effects.c ++++ b/MagickCore/visual-effects.c +@@ -3535,6 +3535,9 @@ MagickExport Image *WaveletDenoiseImage(const Image *image, + MemoryInfo + *pixels_info; + ++ size_t ++ number_levels = 5; ++ + ssize_t + channel; + +@@ -3581,6 +3584,9 @@ MagickExport Image *WaveletDenoiseImage(const Image *image, + pixels=(float *) GetVirtualMemoryBlob(pixels_info); + status=MagickTrue; + number_pixels=(MagickSizeType) image->columns*image->rows; ++ while ((number_levels > 0) && ++ ((1UL << (number_levels-1)) >= MagickMin(image->columns,image->rows))) ++ number_levels--; + image_view=AcquireAuthenticCacheView(image,exception); + noise_view=AcquireAuthenticCacheView(noise_image,exception); + for (channel=0; channel < (ssize_t) GetPixelChannels(image); channel++) +@@ -3642,7 +3648,7 @@ MagickExport Image *WaveletDenoiseImage(const Image *image, + have high values in the noisy parts of the signal. + */ + high_pass=0; +- for (level=0; level < 5; level++) ++ for (level=0; level < (ssize_t) number_levels; level++) + { + double + magnitude; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30937.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30937.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30937.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-30937.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,29 @@ +From: Cristy +Date: Sat, 28 Feb 2026 10:22:39 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg + +a 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. + +(cherry picked from commit 134f1c17d5dafc565182f9b00304fc08cfa3184e) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpg4-j99f-8xcg +origin: https://github.com/ImageMagick/ImageMagick/commit/134f1c17d5dafc565182f9b00304fc08cfa3184e +--- + coders/xwd.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/coders/xwd.c b/coders/xwd.c +index adac47f..a30316b 100644 +--- a/coders/xwd.c ++++ b/coders/xwd.c +@@ -804,8 +804,7 @@ static MagickBooleanType WriteXWDImage(const ImageInfo *image_info,Image *image, + status=OpenBlob(image_info,image,WriteBinaryBlobMode,exception); + if (status == MagickFalse) + return(status); +- if ((image->columns != (CARD32) image->columns) || +- (image->rows != (CARD32) image->rows)) ++ if ((image->columns > 65535UL) || (image->rows > 65535UL)) + ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); + if ((image->storage_class == PseudoClass) && (image->colors > 256)) + (void) SetImageType(image,TrueColorType,exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-31853.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-31853.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-31853.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-31853.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,33 @@ +From: Dirk Lemstra +Date: Mon, 2 Mar 2026 20:32:25 +0100 +Subject: Corrected the overflow check that can cause issues on 32-bit systems + (GHSA-56jp-jfqg-f8f4) + +(cherry picked from commit 7936d9c7bec4bd459a8d4b5304a1a6fbf7dac0ea) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-56jp-jfqg-f8f4 +origin: https://github.com/ImageMagick/ImageMagick/commit/7936d9c7bec4bd459a8d4b5304a1a6fbf7dac0ea +--- + coders/sfw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/coders/sfw.c b/coders/sfw.c +index 8117399..6efc0c8 100644 +--- a/coders/sfw.c ++++ b/coders/sfw.c +@@ -250,12 +250,12 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Read image into a buffer. + */ +- if (GetBlobSize(image) != (size_t) GetBlobSize(image)) ++ extent=(size_t) GetBlobSize(image)+MagickPathExtent; ++ if (GetBlobSize(image) != extent) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + if (GetBlobSize(image) < 141) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); +- buffer=(unsigned char *) AcquireQuantumMemory((size_t) GetBlobSize(image)+ +- MagickPathExtent,sizeof(*buffer)); ++ buffer=(unsigned char *) AcquireQuantumMemory(extent,sizeof(*buffer)); + if (buffer == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + count=ReadBlob(image,(size_t) GetBlobSize(image),buffer); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32259.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32259.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32259.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32259.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Sat, 7 Mar 2026 10:14:57 +0100 +Subject: Added extra check to prevent out of bounds write when color + reduction fails (GHSA-49hx-7656-jpg3) + +(cherry picked from commit df934b4721173f8dda33c6d007f9811669640e86) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-49hx-7656-jpg3 +origin: https://github.com/ImageMagick/ImageMagick/commit/df934b4721173f8dda33c6d007f9811669640e86 +--- + coders/sixel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/sixel.c b/coders/sixel.c +index 37aaaf3..00322bc 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -1386,6 +1386,8 @@ static MagickBooleanType WriteSIXELImage(const ImageInfo *image_info, + image->colormap[opacity].blue=image->transparent_color.blue; + } + } ++ if (image->colors > SIXEL_PALETTE_MAX) ++ return(MagickFalse); + /* + SIXEL header. + */ diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix-post1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix-post1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix-post1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix-post1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,25 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Mon, 16 Mar 2026 20:26:38 +0100 +Subject: Add private method MagickSafeReciprocal + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e92b6cc3e96d5175974626317512dd9 +--- + coders/svg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/coders/svg.c b/coders/svg.c +index c506461..d4b17d1 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -105,6 +105,11 @@ + Define declarations. + */ + #define DefaultSVGDensity 96.0 ++ ++static inline float MagickSafeReciprocal(const float x) { ++ return PerceptibleReciprocal(x); ++} ++ + + /* + Typedef declarations. diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre1.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,46 @@ +From: Cristy +Date: Sat, 14 Feb 2026 22:00:21 -0500 +Subject: =?utf-8?q?standards=E2=80=91compliant_thread_id_string?= + +(cherry picked from commit efd91b90c2d974ea098412f08ddc3aa93eeb2d05) + +origin: https://github.com/ImageMagick/ImageMagick/commit/efd91b90c2d974ea098412f08ddc3aa93eeb2d05 +--- + MagickCore/thread-private.h | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/MagickCore/thread-private.h b/MagickCore/thread-private.h +index 23ba9b6..30269e1 100644 +--- a/MagickCore/thread-private.h ++++ b/MagickCore/thread-private.h +@@ -81,6 +81,30 @@ static inline MagickThreadType GetMagickThreadId(void) + #endif + } + ++static inline void DecorateFilenameWithThreadId(const char *filename, ++ char *thread_filename) ++{ ++ MagickThreadType ++ id; ++ ++ char ++ thread_id[2*sizeof(id)+1]; ++ ++ ssize_t ++ i; ++ ++ unsigned char ++ bytes[sizeof(id)]; ++ ++ id=GetMagickThreadId(); ++ (void) memcpy(bytes,&id,sizeof(id)); ++ for (i=0; i < (ssize_t) sizeof(bytes); i++) ++ (void) sprintf(thread_id+2*i,"%02x",bytes[i]); ++ thread_id[sizeof(thread_id)-1]='\0'; ++ (void) FormatLocaleString(thread_filename,MagickPathExtent,"%s|%s",thread_id, ++ filename); ++} ++ + static inline size_t GetMagickThreadSignature(void) + { + #if defined(MAGICKCORE_THREAD_SUPPORT) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre2.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,24 @@ +From: Cristy +Date: Sat, 14 Feb 2026 22:22:30 -0500 +Subject: eliminate compiler warning + +(cherry picked from commit 7b0899bb0a0105bedfaf8b865474a713e8f0f1d6) + +origin: https://github.com/ImageMagick/ImageMagick/commit/7b0899bb0a0105bedfaf8b865474a713e8f0f1d6 +--- + MagickCore/thread-private.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/thread-private.h b/MagickCore/thread-private.h +index 30269e1..21dc51d 100644 +--- a/MagickCore/thread-private.h ++++ b/MagickCore/thread-private.h +@@ -99,7 +99,7 @@ static inline void DecorateFilenameWithThreadId(const char *filename, + id=GetMagickThreadId(); + (void) memcpy(bytes,&id,sizeof(id)); + for (i=0; i < (ssize_t) sizeof(bytes); i++) +- (void) sprintf(thread_id+2*i,"%02x",bytes[i]); ++ (void) FormatLocaleString(thread_id+2*i,MagickPathExtent,"%02x",bytes[i]); + thread_id[sizeof(thread_id)-1]='\0'; + (void) FormatLocaleString(thread_filename,MagickPathExtent,"%s|%s",thread_id, + filename); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre3.patch imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre3.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre3.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre3.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,27 @@ +From: Cristy +Date: Sun, 15 Feb 2026 14:39:05 -0500 +Subject: private method name change + +(cherry picked from commit 8f3c54fb804112cf5336e927917574f223ae89fa) + +[backport] +- no svg and msl change (see next patch) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/8f3c54fb804112cf5336e927917574f223ae89fa +--- + MagickCore/thread-private.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/thread-private.h b/MagickCore/thread-private.h +index 21dc51d..cb1dcaa 100644 +--- a/MagickCore/thread-private.h ++++ b/MagickCore/thread-private.h +@@ -81,7 +81,7 @@ static inline MagickThreadType GetMagickThreadId(void) + #endif + } + +-static inline void DecorateFilenameWithThreadId(const char *filename, ++static inline void GetMagickThreadFilename(const char *filename, + char *thread_filename) + { + MagickThreadType diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre4.patch imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre4.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre4.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/msl-fix_pre4.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,41 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Mon, 16 Mar 2026 20:22:59 +0100 +Subject: Add MagickSscanf + +origin: https://sources.debian.org/src/imagemagick/8%3A7.1.2.16%2Bdfsg1-1/MagickCore/string-private.h#L28 +--- + MagickCore/string-private.h | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/MagickCore/string-private.h b/MagickCore/string-private.h +index 76b1b43..258aae7 100644 +--- a/MagickCore/string-private.h ++++ b/MagickCore/string-private.h +@@ -25,6 +25,27 @@ + extern "C" { + #endif + ++/* Custom implementation so we can use sscanf without defining _CRT_SECURE_NO_WARNINGS */ ++static inline int MagickSscanf(const char* buffer,const char* format, ...) ++{ ++ int ++ ret; ++ ++ va_list ++ args; ++ va_start(args,format); ++#if _MSC_VER ++ #pragma warning(push) ++ #pragma warning(disable:4996) ++#endif ++ ret=vsscanf(buffer,format,args); ++#if _MSC_VER ++ #pragma warning(pop) ++#endif ++ va_end(args); ++ return(ret); ++} ++ + static inline double SiPrefixToDoubleInterval(const char *string, + const double interval) + { diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/msl-svg-coder-port-to-7.1.2-16.patch imagemagick-7.1.1.43+dfsg1/debian/patches/msl-svg-coder-port-to-7.1.2-16.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/msl-svg-coder-port-to-7.1.2-16.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/msl-svg-coder-port-to-7.1.2-16.patch 2026-03-15 23:43:38.000000000 +0000 @@ -0,0 +1,1030 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Mon, 16 Mar 2026 18:19:51 +0100 +Subject: Port to msl/svg coder to 7.1.2-16 + +This fix CVE-2026-28688 and other msl CVEs + +origin: https://sources.debian.org/src/imagemagick/8%3A7.1.2.16%2Bdfsg1-1/coders/msl.c +origin: https://sources.debian.org/src/imagemagick/8%3A7.1.2.16%2Bdfsg1-1/coders/svg.c +--- + coders/msl.c | 187 +++++++++++++++++++++--------------------------- + coders/svg.c | 228 ++++++++++++++++++++++++++++++++--------------------------- + 2 files changed, 207 insertions(+), 208 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 882ba38..6d5f29c 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -25,7 +25,7 @@ + % You may not use this file except in compliance with the License. You may % + % obtain a copy of the License at % + % % +-% https://imagemagick.org/script/license.php % ++% https://imagemagick.org/license/ % + % % + % Unless required by applicable law or agreed to in writing, software % + % distributed under the License is distributed on an "AS IS" BASIS, % +@@ -89,10 +89,12 @@ + #include "MagickCore/static.h" + #include "MagickCore/string_.h" + #include "MagickCore/string-private.h" ++#include "MagickCore/thread-private.h" + #include "MagickCore/transform.h" + #include "MagickCore/threshold.h" + #include "MagickCore/utility.h" + #include "MagickCore/visual-effects.h" ++#include "coders/coders-private.h" + #if defined(MAGICKCORE_XML_DELEGATE) + # include + # include +@@ -152,9 +154,6 @@ static SplayTreeInfo + Forward declarations. + */ + #if defined(MAGICKCORE_XML_DELEGATE) +-static MagickBooleanType +- WriteMSLImage(const ImageInfo *,Image *,ExceptionInfo *); +- + static MagickBooleanType + SetMSLAttributes(MSLInfo *,const char *,const char *); + #endif +@@ -357,7 +356,6 @@ static void MSLStartElement(void *context,const xmlChar *tag, + */ + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " SAX.startElement(%s",tag); +- exception=AcquireExceptionInfo(); + parser=(xmlParserCtxtPtr) context; + msl_info=(MSLInfo *) parser->_private; + if (msl_info->depth++ >= MagickMaxRecursionDepth) +@@ -367,6 +365,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + xmlStopParser((xmlParserCtxtPtr) context); + return; + } ++ exception=AcquireExceptionInfo(); + n=msl_info->n; + keyword=(const char *) NULL; + value=(char *) NULL; +@@ -389,7 +388,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Add noise image. + */ +- if ((n < 1) || ((n < 1) || (msl_info->image[n] == (Image *) NULL))) ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) + { + ThrowMSLException(OptionError,"NoImagesDefined", + (const char *) tag); +@@ -680,7 +679,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare(keyword,"strokewidth") == 0) + { +- draw_info->stroke_width=(size_t) StringToLong(value); ++ draw_info->stroke_width=(double) StringToLong(value); + break; + } + if (LocaleCompare(keyword,"style") == 0) +@@ -1635,12 +1634,12 @@ static void MSLStartElement(void *context,const xmlChar *tag, + for (j=0; j < msl_info->n; j++) + { + const char +- *prop; ++ *property; + +- prop=GetImageProperty(msl_info->attributes[j],"id", ++ property=GetImageProperty(msl_info->attributes[j],"id", + exception); +- if ((prop != (const char *) NULL) && +- (LocaleCompare(value,value) == 0)) ++ if ((property != (const char *) NULL) && ++ (LocaleCompare(property,value) == 0)) + { + SetImageType(composite_image,TrueColorAlphaType, + exception); +@@ -1692,7 +1691,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (GetPixelAlpha(composite_image,q) == OpaqueAlpha) + SetPixelAlpha(composite_image, +- ClampToQuantum(opacity),q); ++ ClampToQuantum((MagickRealType) opacity),q); + q+=(ptrdiff_t) GetPixelChannels(composite_image); + } + if (SyncCacheViewAuthenticPixels(composite_view,exception) == MagickFalse) +@@ -2328,7 +2327,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare(keyword,"strokewidth") == 0) + { +- draw_info->stroke_width=(size_t) StringToLong(value); ++ draw_info->stroke_width=(double) StringToLong(value); + break; + } + if (LocaleCompare(keyword,"style") == 0) +@@ -3064,11 +3063,11 @@ static void MSLStartElement(void *context,const xmlChar *tag, + sizeof(*msl_info->group_info)); + if (msl_info->group_info == (MSLGroupInfo *) NULL) + { +- ThrowMSLException(ResourceLimitFatalError,"UnableToInterpretMSLImage", +- keyword); ++ ThrowMSLException(ResourceLimitFatalError, ++ "UnableToInterpretMSLImage",tag); + break; + } +- msl_info->group_info[msl_info->number_groups].numImages=0; ++ msl_info->group_info[msl_info->number_groups-1].numImages=0; + break; + } + ThrowMSLException(OptionError,"UnrecognizedElement",(const char *) tag); +@@ -4314,6 +4313,12 @@ static void MSLStartElement(void *context,const xmlChar *tag, + /* + Query font metrics. + */ ++ if ((n < 1) || (msl_info->image[n] == (Image *) NULL)) ++ { ++ ThrowMSLException(OptionError,"NoImagesDefined", ++ (const char *) tag); ++ break; ++ } + draw_info=CloneDrawInfo(msl_info->image_info[n], + msl_info->draw_info[n]); + angle=0.0; +@@ -4524,7 +4529,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + } + if (LocaleCompare(keyword,"strokewidth") == 0) + { +- draw_info->stroke_width=(size_t) StringToLong(value); ++ draw_info->stroke_width=(double) StringToLong(value); + break; + } + if (LocaleCompare(keyword,"style") == 0) +@@ -4787,25 +4792,28 @@ static void MSLStartElement(void *context,const xmlChar *tag, + { + if (LocaleCompare(keyword,"filename") == 0) + { ++ char ++ thread_filename[MagickPathExtent]; ++ + Image + *next = (Image *) NULL; + + if (value == (char *) NULL) + break; +- if (GetValueFromSplayTree(msl_tree,value) != (const char *) NULL) ++ GetMagickThreadFilename(value,thread_filename); ++ if (GetValueFromSplayTree(msl_tree,thread_filename) != (const char *) NULL) + { + (void) ThrowMagickException(msl_info->exception, + GetMagickModule(),DrawError, + "VectorGraphicsNestedTooDeeply","`%s'",value); + break; + } +- (void) AddValueToSplayTree(msl_tree,ConstantString(value), +- (void *) 1); ++ (void) AddValueToSplayTree(msl_tree,ConstantString( ++ thread_filename),(void *) 1); + *msl_info->image_info[n]->magick='\0'; + (void) CopyMagickString(msl_info->image_info[n]->filename, + value,MagickPathExtent); + next=ReadImage(msl_info->image_info[n],exception); +- (void) DeleteNodeFromSplayTree(msl_tree,value); + CatchException(exception); + if (next == (Image *) NULL) + continue; +@@ -5861,7 +5869,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, + tmp=DestroyString(tmp); + opac = (Quantum)(QuantumRange * ((float)opac/100)); + } else +- opac = StringToLong( value ); ++ opac = (Quantum) StringToLong( value ); + (void) SetImageAlpha( msl_info->image[n], (Quantum) opac, + exception); + break; +@@ -7174,7 +7182,18 @@ static void MSLEndElement(void *context,const xmlChar *tag) + case 'i': + { + if (LocaleCompare((const char *) tag, "image") == 0) +- MSLPopImage(msl_info); ++ { ++ if (msl_info->image_info[msl_info->n] != (ImageInfo *) NULL) ++ { ++ char ++ thread_filename[MagickPathExtent]; ++ ++ GetMagickThreadFilename( ++ msl_info->image_info[msl_info->n]->filename,thread_filename); ++ (void) DeleteNodeFromSplayTree(msl_tree,thread_filename); ++ } ++ MSLPopImage(msl_info); ++ } + break; + } + case 'L': +@@ -7341,12 +7360,35 @@ static void MSLError(void *context,const char *format,...) + } + #endif + ++static void DestroyMSLInfo(MSLInfo *msl_info) ++{ ++ while (msl_info->n >= 0) ++ { ++ if (msl_info->image[msl_info->n] != (Image *) NULL) ++ msl_info->image[msl_info->n]=DestroyImage(msl_info->image[msl_info->n]); ++ msl_info->attributes[msl_info->n]=DestroyImage(msl_info->attributes[msl_info->n]); ++ msl_info->draw_info[msl_info->n]=DestroyDrawInfo(msl_info->draw_info[msl_info->n]); ++ msl_info->image_info[msl_info->n]=DestroyImageInfo(msl_info->image_info[msl_info->n]); ++ msl_info->n--; ++ } ++ msl_info->draw_info=(DrawInfo **) RelinquishMagickMemory(msl_info->draw_info); ++ msl_info->image=(Image **) RelinquishMagickMemory(msl_info->image); ++ msl_info->attributes=(Image **) RelinquishMagickMemory(msl_info->attributes); ++ msl_info->image_info=(ImageInfo **) RelinquishMagickMemory(msl_info->image_info); ++ msl_info->group_info=(MSLGroupInfo *) RelinquishMagickMemory(msl_info->group_info); ++ if (msl_info->content != (char *) NULL) ++ msl_info->content=DestroyString(msl_info->content); ++} ++ + static MagickBooleanType ProcessMSLScript(const ImageInfo *image_info, + Image **image,ExceptionInfo *exception) + { + char + message[MagickPathExtent]; + ++ const char ++ *option; ++ + Image + *msl_image; + +@@ -7437,17 +7479,18 @@ static MagickBooleanType ProcessMSLScript(const ImageInfo *image_info, + sax_handler=(&sax_modules); + parser=xmlCreatePushParserCtxt(sax_handler,(void *) NULL,(char *) NULL, + 0,msl_image->filename); +- if (parser != (xmlParserCtxtPtr) NULL) ++ if (parser == (xmlParserCtxtPtr) NULL) + { +- const char *option; +- parser->_private=(MSLInfo *) &msl_info; +- option = GetImageOption(image_info,"msl:parse-huge"); +- if ((option != (char *) NULL) && (IsStringTrue(option) != MagickFalse)) +- (void) xmlCtxtUseOptions(parser,XML_PARSE_HUGE); +- option=GetImageOption(image_info,"msl:substitute-entities"); +- if ((option != (char *) NULL) && (IsStringTrue(option) != MagickFalse)) +- (void) xmlCtxtUseOptions(parser,XML_PARSE_NOENT); ++ DestroyMSLInfo(&msl_info); ++ ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",""); + } ++ parser->_private=(MSLInfo *) &msl_info; ++ option=GetImageOption(image_info,"msl:parse-huge"); ++ if ((option != (char *) NULL) && (IsStringTrue(option) != MagickFalse)) ++ (void) xmlCtxtUseOptions(parser,XML_PARSE_HUGE); ++ option=GetImageOption(image_info,"msl:substitute-entities"); ++ if ((option != (char *) NULL) && (IsStringTrue(option) != MagickFalse)) ++ (void) xmlCtxtUseOptions(parser,XML_PARSE_NOENT); + while (ReadBlobString(msl_image,message) != (char *) NULL) + { + n=(ssize_t) strlen(message); +@@ -7474,27 +7517,7 @@ static MagickBooleanType ProcessMSLScript(const ImageInfo *image_info, + (void) LogMagickEvent(CoderEvent,GetMagickModule(),"end SAX"); + if (*image == (Image *) NULL) + *image=CloneImage(*msl_info.image,0,0,MagickTrue,exception); +- while (msl_info.n >= 0) +- { +- if (msl_info.image[msl_info.n] != (Image *) NULL) +- msl_info.image[msl_info.n]=DestroyImage(msl_info.image[msl_info.n]); +- msl_info.attributes[msl_info.n]=DestroyImage( +- msl_info.attributes[msl_info.n]); +- msl_info.draw_info[msl_info.n]=DestroyDrawInfo( +- msl_info.draw_info[msl_info.n]); +- msl_info.image_info[msl_info.n]=DestroyImageInfo( +- msl_info.image_info[msl_info.n]); +- msl_info.n--; +- } +- msl_info.draw_info=(DrawInfo **) RelinquishMagickMemory(msl_info.draw_info); +- msl_info.image=(Image **) RelinquishMagickMemory(msl_info.image); +- msl_info.attributes=(Image **) RelinquishMagickMemory(msl_info.attributes); +- msl_info.image_info=(ImageInfo **) RelinquishMagickMemory( +- msl_info.image_info); +- msl_info.group_info=(MSLGroupInfo *) RelinquishMagickMemory( +- msl_info.group_info); +- if (msl_info.content != (char *) NULL) +- msl_info.content=DestroyString(msl_info.content); ++ DestroyMSLInfo(&msl_info); + if (msl_info.exception->severity != UndefinedException) + return(MagickFalse); + return(MagickTrue); +@@ -7505,6 +7528,9 @@ static Image *ReadMSLImage(const ImageInfo *image_info,ExceptionInfo *exception) + Image + *image; + ++ MagickBooleanType ++ status; ++ + /* + Open image file. + */ +@@ -7516,7 +7542,9 @@ static Image *ReadMSLImage(const ImageInfo *image_info,ExceptionInfo *exception) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s", + image_info->filename); + image=(Image *) NULL; +- (void) ProcessMSLScript(image_info,&image,exception); ++ status=ProcessMSLScript(image_info,&image,exception); ++ if ((status == MagickFalse) && (image != (Image *) NULL)) ++ image=DestroyImage(image); + return(GetFirstImageInList(image)); + } + #endif +@@ -7555,7 +7583,6 @@ ModuleExport size_t RegisterMSLImage(void) + entry=AcquireMagickInfo("MSL","MSL","Magick Scripting Language"); + #if defined(MAGICKCORE_XML_DELEGATE) + entry->decoder=(DecodeImageHandler *) ReadMSLImage; +- entry->encoder=(EncodeImageHandler *) WriteMSLImage; + #endif + entry->format_type=ImplicitFormatType; + (void) RegisterMagickInfo(entry); +@@ -7875,53 +7902,3 @@ ModuleExport void UnregisterMSLImage(void) + if (msl_tree != (SplayTreeInfo *) NULL) + msl_tree=DestroySplayTree(msl_tree); + } +- +-#if defined(MAGICKCORE_XML_DELEGATE) +-/* +-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +-% % +-% % +-% % +-% W r i t e M S L I m a g e % +-% % +-% % +-% % +-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +-% +-% WriteMSLImage() writes an image to a file in MVG image format. +-% +-% The format of the WriteMSLImage method is: +-% +-% MagickBooleanType WriteMSLImage(const ImageInfo *image_info, +-% Image *image,ExceptionInfo *exception) +-% +-% A description of each parameter follows. +-% +-% o image_info: the image info. +-% +-% o image: The image. +-% +-% o exception: return any errors or warnings in this structure. +-% +-*/ +-static MagickBooleanType WriteMSLImage(const ImageInfo *image_info,Image *image, +- ExceptionInfo *exception) +-{ +- Image +- *msl_image; +- +- MagickBooleanType +- status; +- +- assert(image_info != (const ImageInfo *) NULL); +- assert(image_info->signature == MagickCoreSignature); +- assert(image != (Image *) NULL); +- assert(image->signature == MagickCoreSignature); +- if (IsEventLogging() != MagickFalse) +- (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); +- msl_image=CloneImage(image,0,0,MagickTrue,exception); +- status=ProcessMSLScript(image_info,&msl_image,exception); +- msl_image=DestroyImageList(msl_image); +- return(status); +-} +-#endif +diff --git a/coders/svg.c b/coders/svg.c +index aa6a170..c506461 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -24,7 +24,7 @@ + % You may not use this file except in compliance with the License. You may % + % obtain a copy of the License at % + % % +-% https://imagemagick.org/script/license.php % ++% https://imagemagick.org/license/ % + % % + % Unless required by applicable law or agreed to in writing, software % + % distributed under the License is distributed on an "AS IS" BASIS, % +@@ -65,6 +65,7 @@ + #include "MagickCore/module.h" + #include "MagickCore/monitor.h" + #include "MagickCore/monitor-private.h" ++#include "MagickCore/nt-base-private.h" + #include "MagickCore/option.h" + #include "MagickCore/pixel-accessor.h" + #include "MagickCore/policy.h" +@@ -74,12 +75,11 @@ + #include "MagickCore/static.h" + #include "MagickCore/string_.h" + #include "MagickCore/string-private.h" ++#include "MagickCore/thread-private.h" + #include "MagickCore/token.h" + #include "MagickCore/utility.h" + #include "coders/coders-private.h" + +-#include "MagickCore/splay-tree.h" +- + #if defined(MAGICKCORE_XML_DELEGATE) + # include + # include +@@ -186,9 +186,14 @@ typedef struct _SVGInfo + svgDepth; + } SVGInfo; + +-/* ++/* + Global declarations. + */ ++#if defined(MAGICKCORE_RSVG_DELEGATE) ++static SemaphoreInfo ++ *rsvg_semaphore = (SemaphoreInfo *) NULL; ++#endif ++ + static SplayTreeInfo + *svg_tree = (SplayTreeInfo *) NULL; + +@@ -499,10 +504,10 @@ static Image *RenderRSVGImage(const ImageInfo *image_info,Image *image, + } + if (apply_density != MagickFalse) + { +- image->columns=image->resolution.x*dimension_info.width/ +- DefaultSVGDensity; +- image->rows=image->resolution.y*dimension_info.height/ +- DefaultSVGDensity; ++ image->columns=(size_t) (image->resolution.x*dimension_info.width/ ++ DefaultSVGDensity); ++ image->rows=(size_t) (image->resolution.y*dimension_info.height/ ++ DefaultSVGDensity); + } + else + { +@@ -602,7 +607,7 @@ static Image *RenderRSVGImage(const ImageInfo *image_info,Image *image, + gamma; + + gamma=QuantumScale*fill_color.alpha; +- gamma=PerceptibleReciprocal(gamma); ++ gamma=MagickSafeReciprocal(gamma); + fill_color.blue*=gamma; + fill_color.green*=gamma; + fill_color.red*=gamma; +@@ -803,7 +808,7 @@ static void SVGStripString(const MagickBooleanType trim,char *message) + Convert newlines to a space. + */ + for (p=message; *p != '\0'; p++) +- if (*p == '\n') ++ if ((*p == '\n') || (*p == '\r')) + *p=' '; + } + +@@ -880,6 +885,19 @@ static char **SVGKeyValuePairs(SVGInfo *svg_info,const int key_sentinel, + return(tokens); + } + ++static inline char *SVGEscapeString(const char* value) ++{ ++ char ++ *escaped_value, ++ *p; ++ ++ escaped_value=EscapeString(value,'\"'); ++ for (p=escaped_value; *p != '\0'; p++) ++ if ((*p == '\n') || (*p == '\r')) ++ *p=' '; ++ return(escaped_value); ++} ++ + static void SVGProcessStyleElement(SVGInfo *svg_info,const xmlChar *name, + const char *style) + { +@@ -888,8 +906,7 @@ static void SVGProcessStyleElement(SVGInfo *svg_info,const xmlChar *name, + *color, + *keyword, + **tokens, +- *units, +- *value; ++ *units; + + size_t + number_tokens; +@@ -901,22 +918,25 @@ static void SVGProcessStyleElement(SVGInfo *svg_info,const xmlChar *name, + tokens=SVGKeyValuePairs(svg_info,':',';',style,&number_tokens); + if (tokens == (char **) NULL) + return; +- for (i=0; i < (ssize_t) (number_tokens-1); i+=2) ++ for (i=0; i < ((ssize_t) number_tokens-1); i+=2) + { + keyword=(char *) tokens[i]; +- value=(char *) tokens[i+1]; + if (LocaleCompare(keyword,"font-size") != 0) + continue; +- svg_info->pointsize=GetUserSpaceCoordinateValue(svg_info,0,value); ++ svg_info->pointsize=GetUserSpaceCoordinateValue(svg_info,0, ++ (char *) tokens[i+1]); + (void) FormatLocaleFile(svg_info->file,"font-size %g\n", + svg_info->pointsize); + } + color=AcquireString("none"); + units=AcquireString("userSpaceOnUse"); +- for (i=0; i < (ssize_t) (number_tokens-1); i+=2) ++ for (i=0; i < ((ssize_t) number_tokens-1); i+=2) + { ++ char ++ *value; ++ + keyword=(char *) tokens[i]; +- value=(char *) tokens[i+1]; ++ value=SVGEscapeString((const char *) tokens[i+1]); + (void) LogMagickEvent(CoderEvent,GetMagickModule()," %s: %s",keyword, + value); + switch (*keyword) +@@ -1000,14 +1020,14 @@ static void SVGProcessStyleElement(SVGInfo *svg_info,const xmlChar *name, + font_size[MagickPathExtent], + font_style[MagickPathExtent]; + +- if (sscanf(value,"%2048s %2048s %2048s",font_style,font_size, ++ if (MagickSscanf(value,"%2048s %2048s %2048s",font_style,font_size, + font_family) != 3) + break; + if (GetUserSpaceCoordinateValue(svg_info,0,font_style) == 0) + (void) FormatLocaleFile(svg_info->file,"font-style \"%s\"\n", + style); + else +- if (sscanf(value,"%2048s %2048s",font_size,font_family) != 2) ++ if (MagickSscanf(value,"%2048s %2048s",font_size,font_family) != 2) + break; + (void) FormatLocaleFile(svg_info->file,"font-size \"%s\"\n", + font_size); +@@ -1201,6 +1221,7 @@ static void SVGProcessStyleElement(SVGInfo *svg_info,const xmlChar *name, + default: + break; + } ++ value=DestroyString(value); + } + if (units != (char *) NULL) + units=DestroyString(units); +@@ -1234,8 +1255,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + + const char + *keyword, +- *p, +- *value; ++ *p; + + size_t + number_tokens; +@@ -1279,7 +1299,6 @@ static void SVGStartElement(void *context,const xmlChar *name, + *id='\0'; + *token='\0'; + *background='\0'; +- value=(const char *) NULL; + if ((LocaleCompare((char *) name,"image") == 0) || + (LocaleCompare((char *) name,"pattern") == 0) || + (LocaleCompare((char *) name,"rect") == 0) || +@@ -1292,8 +1311,11 @@ static void SVGStartElement(void *context,const xmlChar *name, + if (attributes != (const xmlChar **) NULL) + for (i=0; (attributes[i] != (const xmlChar *) NULL); i+=2) + { ++ char ++ *value; ++ + keyword=(const char *) attributes[i]; +- value=(const char *) attributes[i+1]; ++ value=SVGEscapeString((const char *) attributes[i+1]); + switch (*keyword) + { + case 'C': +@@ -1420,6 +1442,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + default: + break; + } ++ value=DestroyString(value); + } + if (strchr((char *) name,':') != (char *) NULL) + { +@@ -1644,8 +1667,11 @@ static void SVGStartElement(void *context,const xmlChar *name, + if (attributes != (const xmlChar **) NULL) + for (i=0; (attributes[i] != (const xmlChar *) NULL); i+=2) + { ++ char ++ *value; ++ + keyword=(const char *) attributes[i]; +- value=(const char *) attributes[i+1]; ++ value=SVGEscapeString((const char *) attributes[i+1]); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " %s = %s",keyword,value); + switch (*keyword) +@@ -1842,14 +1868,17 @@ static void SVGStartElement(void *context,const xmlChar *name, + tokens=SVGKeyValuePairs(svg_info,'(',')',value,&number_tokens); + if (tokens == (char **) NULL) + break; +- for (j=0; j < (ssize_t) (number_tokens-1); j+=2) ++ for (j=0; j < ((ssize_t) number_tokens-1); j+=2) + { ++ char ++ *token_value; ++ + keyword=(char *) tokens[j]; + if (keyword == (char *) NULL) + continue; +- value=(char *) tokens[j+1]; ++ token_value=(char *) tokens[j+1]; + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " %s: %s",keyword,value); ++ " %s: %s",keyword,token_value); + current=transform; + GetAffineMatrix(&affine); + switch (*keyword) +@@ -1859,9 +1888,9 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + if (LocaleCompare(keyword,"matrix") == 0) + { +- p=value; ++ p=token_value; + (void) GetNextToken(p,&p,MagickPathExtent,token); +- affine.sx=StringToDouble(value,(char **) NULL); ++ affine.sx=StringToDouble(token_value,(char **) NULL); + (void) GetNextToken(p,&p,MagickPathExtent,token); + if (*token == ',') + (void) GetNextToken(p,&p,MagickPathExtent,token); +@@ -1894,7 +1923,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + double + angle; + +- angle=GetUserSpaceCoordinateValue(svg_info,0,value); ++ angle=GetUserSpaceCoordinateValue(svg_info,0,token_value); + affine.sx=cos(DegreesToRadians(fmod(angle,360.0))); + affine.rx=sin(DegreesToRadians(fmod(angle,360.0))); + affine.ry=(-sin(DegreesToRadians(fmod(angle,360.0)))); +@@ -1908,11 +1937,11 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + if (LocaleCompare(keyword,"scale") == 0) + { +- for (p=value; *p != '\0'; p++) ++ for (p=token_value; *p != '\0'; p++) + if ((isspace((int) ((unsigned char) *p)) != 0) || + (*p == ',')) + break; +- affine.sx=GetUserSpaceCoordinateValue(svg_info,1,value); ++ affine.sx=GetUserSpaceCoordinateValue(svg_info,1,token_value); + affine.sy=affine.sx; + if (*p != '\0') + affine.sy= +@@ -1924,7 +1953,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + affine.sx=svg_info->affine.sx; + affine.ry=tan(DegreesToRadians(fmod( +- GetUserSpaceCoordinateValue(svg_info,1,value), ++ GetUserSpaceCoordinateValue(svg_info,1,token_value), + 360.0))); + affine.sy=svg_info->affine.sy; + break; +@@ -1933,7 +1962,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + affine.sx=svg_info->affine.sx; + affine.rx=tan(DegreesToRadians(fmod( +- GetUserSpaceCoordinateValue(svg_info,-1,value), ++ GetUserSpaceCoordinateValue(svg_info,-1,token_value), + 360.0))); + affine.sy=svg_info->affine.sy; + break; +@@ -1945,11 +1974,11 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + if (LocaleCompare(keyword,"translate") == 0) + { +- for (p=value; *p != '\0'; p++) ++ for (p=token_value; *p != '\0'; p++) + if ((isspace((int) ((unsigned char) *p)) != 0) || + (*p == ',')) + break; +- affine.tx=GetUserSpaceCoordinateValue(svg_info,1,value); ++ affine.tx=GetUserSpaceCoordinateValue(svg_info,1,token_value); + affine.ty=affine.tx; + if (*p != '\0') + affine.ty= +@@ -2242,12 +2271,15 @@ static void SVGStartElement(void *context,const xmlChar *name, + tokens=SVGKeyValuePairs(svg_info,'(',')',value,&number_tokens); + if (tokens == (char **) NULL) + break; +- for (j=0; j < (ssize_t) (number_tokens-1); j+=2) ++ for (j=0; j < ((ssize_t) number_tokens-1); j+=2) + { ++ char ++ *token_value; ++ + keyword=(char *) tokens[j]; +- value=(char *) tokens[j+1]; ++ token_value=(char *) tokens[j+1]; + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " %s: %s",keyword,value); ++ " %s: %s",keyword,token_value); + current=transform; + GetAffineMatrix(&affine); + switch (*keyword) +@@ -2257,9 +2289,9 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + if (LocaleCompare(keyword,"matrix") == 0) + { +- p=value; ++ p=token_value; + (void) GetNextToken(p,&p,MagickPathExtent,token); +- affine.sx=StringToDouble(value,(char **) NULL); ++ affine.sx=StringToDouble(token_value,(char **) NULL); + (void) GetNextToken(p,&p,MagickPathExtent,token); + if (*token == ',') + (void) GetNextToken(p,&p,MagickPathExtent,token); +@@ -2294,9 +2326,9 @@ static void SVGStartElement(void *context,const xmlChar *name, + x, + y; + +- p=value; ++ p=token_value; + (void) GetNextToken(p,&p,MagickPathExtent,token); +- angle=StringToDouble(value,(char **) NULL); ++ angle=StringToDouble(token_value,(char **) NULL); + affine.sx=cos(DegreesToRadians(fmod(angle,360.0))); + affine.rx=sin(DegreesToRadians(fmod(angle,360.0))); + affine.ry=(-sin(DegreesToRadians(fmod(angle,360.0)))); +@@ -2325,11 +2357,11 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + if (LocaleCompare(keyword,"scale") == 0) + { +- for (p=value; *p != '\0'; p++) ++ for (p=token_value; *p != '\0'; p++) + if ((isspace((int) ((unsigned char) *p)) != 0) || + (*p == ',')) + break; +- affine.sx=GetUserSpaceCoordinateValue(svg_info,1,value); ++ affine.sx=GetUserSpaceCoordinateValue(svg_info,1,token_value); + affine.sy=affine.sx; + if (*p != '\0') + affine.sy=GetUserSpaceCoordinateValue(svg_info,-1, +@@ -2341,7 +2373,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + affine.sx=svg_info->affine.sx; + affine.ry=tan(DegreesToRadians(fmod( +- GetUserSpaceCoordinateValue(svg_info,1,value), ++ GetUserSpaceCoordinateValue(svg_info,1,token_value), + 360.0))); + affine.sy=svg_info->affine.sy; + break; +@@ -2350,7 +2382,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + affine.sx=svg_info->affine.sx; + affine.rx=tan(DegreesToRadians(fmod( +- GetUserSpaceCoordinateValue(svg_info,-1,value), ++ GetUserSpaceCoordinateValue(svg_info,-1,token_value), + 360.0))); + affine.sy=svg_info->affine.sy; + break; +@@ -2362,11 +2394,11 @@ static void SVGStartElement(void *context,const xmlChar *name, + { + if (LocaleCompare(keyword,"translate") == 0) + { +- for (p=value; *p != '\0'; p++) ++ for (p=token_value; *p != '\0'; p++) + if ((isspace((int) ((unsigned char) *p)) != 0) || + (*p == ',')) + break; +- affine.tx=GetUserSpaceCoordinateValue(svg_info,1,value); ++ affine.tx=GetUserSpaceCoordinateValue(svg_info,1,token_value); + affine.ty=0; + if (*p != '\0') + affine.ty=GetUserSpaceCoordinateValue(svg_info,-1, +@@ -2495,6 +2527,7 @@ static void SVGStartElement(void *context,const xmlChar *name, + default: + break; + } ++ value=DestroyString(value); + } + if (LocaleCompare((const char *) name,"svg") == 0) + { +@@ -2514,14 +2547,14 @@ static void SVGStartElement(void *context,const xmlChar *name, + svg_info->view_box=svg_info->bounds; + svg_info->width=0; + if (svg_info->bounds.width >= MagickEpsilon) +- svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5); ++ svg_info->width=CastDoubleToSizeT(svg_info->bounds.width+0.5); + svg_info->height=0; + if (svg_info->bounds.height >= MagickEpsilon) +- svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5); ++ svg_info->height=CastDoubleToSizeT(svg_info->bounds.height+0.5); + (void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n", + (double) svg_info->width,(double) svg_info->height); +- sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width; +- sy=PerceptibleReciprocal(svg_info->view_box.height)*svg_info->height; ++ sx=MagickSafeReciprocal(svg_info->view_box.width)*svg_info->width; ++ sy=MagickSafeReciprocal(svg_info->view_box.height)*svg_info->height; + tx=svg_info->view_box.x != 0.0 ? (double) -sx*svg_info->view_box.x : + 0.0; + ty=svg_info->view_box.y != 0.0 ? (double) -sy*svg_info->view_box.y : +@@ -2599,19 +2632,9 @@ static void SVGEndElement(void *context,const xmlChar *name) + } + if (LocaleCompare((const char *) name,"desc") == 0) + { +- char +- *p; +- + if (*svg_info->text == '\0') + break; +- (void) fputc('#',svg_info->file); +- for (p=svg_info->text; *p != '\0'; p++) +- { +- (void) fputc(*p,svg_info->file); +- if (*p == '\n') +- (void) fputc('#',svg_info->file); +- } +- (void) fputc('\n',svg_info->file); ++ (void) FormatLocaleFile(svg_info->file,"# %s\n",svg_info->text); + *svg_info->text='\0'; + break; + } +@@ -2660,6 +2683,9 @@ static void SVGEndElement(void *context,const xmlChar *name) + { + if (LocaleCompare((const char *) name,"image") == 0) + { ++ char ++ thread_filename[MagickPathExtent]; ++ + Image + *image; + +@@ -2668,23 +2694,27 @@ static void SVGEndElement(void *context,const xmlChar *name) + + if (svg_info->url == (char*) NULL) + { ++ image_info=DestroyImageInfo(image_info); + (void) FormatLocaleFile(svg_info->file,"pop graphic-context\n"); + break; + } +- if (GetValueFromSplayTree(svg_tree,svg_info->url) != (const char *) NULL) ++ GetMagickThreadFilename(svg_info->url,thread_filename); ++ if (GetValueFromSplayTree(svg_tree,thread_filename) != (const char *) NULL) + { ++ image_info=DestroyImageInfo(image_info); + (void) ThrowMagickException(svg_info->exception,GetMagickModule(), + DrawError,"VectorGraphicsNestedTooDeeply","`%s'",svg_info->url); + break; + } +- (void) AddValueToSplayTree(svg_tree,ConstantString(svg_info->url), ++ (void) AddValueToSplayTree(svg_tree,ConstantString(thread_filename), + (void *) 1); + (void) CopyMagickString(image_info->filename,svg_info->url, + MagickPathExtent); + image=ReadImage(image_info,svg_info->exception); ++ image_info=DestroyImageInfo(image_info); + if (image != (Image *) NULL) + image=DestroyImage(image); +- (void) DeleteNodeFromSplayTree(svg_tree,svg_info->url); ++ (void) DeleteNodeFromSplayTree(svg_tree,thread_filename); + (void) FormatLocaleFile(svg_info->file, + "image Over %g,%g %g,%g \"%s\"\n",svg_info->bounds.x, + svg_info->bounds.y,svg_info->bounds.width,svg_info->bounds.height, +@@ -2823,7 +2853,7 @@ static void SVGEndElement(void *context,const xmlChar *name) + &number_tokens); + if (tokens == (char **) NULL) + break; +- for (j=0; j < (ssize_t) (number_tokens-1); j+=2) ++ for (j=0; j < ((ssize_t) number_tokens-1); j+=2) + { + keyword=(char *) tokens[j]; + value=(char *) tokens[j+1]; +@@ -2923,12 +2953,8 @@ static void SVGEndElement(void *context,const xmlChar *name) + static void SVGCharacters(void *context,const xmlChar *c,int length) + { + char +- *p, + *text; + +- ssize_t +- i; +- + SVGInfo + *svg_info; + +@@ -2945,10 +2971,8 @@ static void SVGCharacters(void *context,const xmlChar *c,int length) + text=(char *) AcquireQuantumMemory((size_t) length+1,sizeof(*text)); + if (text == (char *) NULL) + return; +- p=text; +- for (i=0; i < (ssize_t) length; i++) +- *p++=(char) c[i]; +- *p='\0'; ++ memcpy(text,c,length); ++ text[length] = '\0'; + SVGStripString(MagickFalse,text); + if (svg_info->text == (char *) NULL) + svg_info->text=text; +@@ -3121,8 +3145,8 @@ static Image *RenderMSVGImage(const ImageInfo *image_info,Image *image, + svg_info->exception=exception; + svg_info->image=image; + svg_info->image_info=image_info; +- svg_info->bounds.width=image->columns; +- svg_info->bounds.height=image->rows; ++ svg_info->bounds.width=(double) image->columns; ++ svg_info->bounds.height=(double) image->rows; + svg_info->svgDepth=0; + if (image_info->size != (char *) NULL) + (void) CloneString(&svg_info->size,image_info->size); +@@ -3150,8 +3174,8 @@ static Image *RenderMSVGImage(const ImageInfo *image_info,Image *image, + parser=(xmlParserCtxtPtr) NULL; + if (n > 0) + { +- parser=xmlCreatePushParserCtxt(sax_handler,(void *) NULL,(char *) +- message,n,image->filename); ++ parser=xmlCreatePushParserCtxt(sax_handler,(void *) NULL,(const char *) ++ message,(int) n,image->filename); + if (parser != (xmlParserCtxtPtr) NULL) + { + const char *option; +@@ -3298,24 +3322,24 @@ static Image *ReadSVGImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + if (LocaleCompare(image_info->magick,"MSVG") != 0) + { +- Image +- *svg_image; +- +-#if defined(MAGICKCORE_RSVG_DELEGATE) +- if (LocaleCompare(image_info->magick,"RSVG") == 0) +- { +- image=RenderRSVGImage(image_info,image,exception); +- return(image); +- } +-#endif +- svg_image=RenderSVGImage(image_info,image,exception); +- if (svg_image != (Image *) NULL) ++ if (LocaleCompare(image_info->magick,"RSVG") != 0) + { +- image=DestroyImageList(image); +- return(svg_image); ++ Image ++ *svg_image; ++ ++ svg_image=RenderSVGImage(image_info,image,exception); ++ if (svg_image != (Image *) NULL) ++ { ++ image=DestroyImageList(image); ++ return(svg_image); ++ } + } + #if defined(MAGICKCORE_RSVG_DELEGATE) ++ if (rsvg_semaphore == (SemaphoreInfo *) NULL) ++ ActivateSemaphoreInfo(&rsvg_semaphore); ++ LockSemaphoreInfo(rsvg_semaphore); + image=RenderRSVGImage(image_info,image,exception); ++ UnlockSemaphoreInfo(rsvg_semaphore); + return(image); + #endif + } +@@ -3395,6 +3419,7 @@ ModuleExport size_t RegisterSVGImage(void) + entry=AcquireMagickInfo("SVG","RSVG","Librsvg SVG renderer"); + entry->decoder=(DecodeImageHandler *) ReadSVGImage; + entry->encoder=(EncodeImageHandler *) WriteSVGImage; ++ entry->flags^=CoderDecoderThreadSupportFlag; + entry->mime_type=ConstantString("image/svg+xml"); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -3546,7 +3571,7 @@ static MagickBooleanType IsPoint(const char *point) + static MagickBooleanType TraceSVGImage(Image *image,ExceptionInfo *exception) + { + MagickBooleanType +- status = MagickTrue; ++ status = MagickTrue; + + #if defined(MAGICKCORE_AUTOTRACE_DELEGATE) + { +@@ -3787,14 +3812,11 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image, + /* + Write SVG header. + */ +- (void) WriteBlobString(image,"\n"); +- (void) WriteBlobString(image, +- "\n"); ++ "\n"); + (void) FormatLocaleString(message,MagickPathExtent, +- "\n",(double) image->columns,(double) +- image->rows); ++ "\n", ++ (double) image->columns,(double) image->rows); + (void) WriteBlobString(image,message); + /* + Allocate primitive info memory. +@@ -4563,7 +4585,7 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image, + primitive_info[i].coordinates=0; + primitive_info[i].method=FloodfillMethod; + i++; +- if (i < (ssize_t) (number_points-6*BezierQuantum-360)) ++ if (i < ((ssize_t) number_points-6*BezierQuantum-360)) + continue; + number_points+=6*BezierQuantum+360; + primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info, +@@ -4777,7 +4799,7 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image, + image->filename); + break; + } +- if (i > (ssize_t) (number_points-quantum-1)) ++ if (i > ((ssize_t) number_points-(ssize_t) quantum-1)) + { + number_points+=(size_t) quantum; + primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info, diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-03-04 21:59:34.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-03-15 23:43:38.000000000 +0000 @@ -105,3 +105,33 @@ CVE-2026-26983.patch CVE-2026-27798.patch CVE-2026-27799.patch +CVE-2026-28493_1.patch +CVE-2026-28493_2.patch +CVE-2026-28493_3.patch +CVE-2026-28494.patch +CVE-2026-28686.patch +CVE-2026-28687.patch +CVE-2026-28689_pre1.patch +CVE-2026-28689_1.patch +CVE-2026-28689_2.patch +CVE-2026-28690.patch +CVE-2026-28691.patch +CVE-2026-28692.patch +CVE-2026-28693_pre1.patch +CVE-2026-28693_1.patch +CVE-2026-28693_2.patch +CVE-2026-30883.patch +CVE-2026-30929.patch +CVE-2026-30931_pre1.patch +CVE-2026-30931.patch +CVE-2026-30935.patch +CVE-2026-30936.patch +CVE-2026-30937.patch +CVE-2026-31853.patch +CVE-2026-32259.patch +msl-fix_pre1.patch +msl-fix_pre2.patch +msl-fix_pre3.patch +msl-fix_pre4.patch +msl-svg-coder-port-to-7.1.2-16.patch +msl-fix-post1.patch