Version in base suite: 7.1.1.43+dfsg1-1+deb13u5 Version in overlay suite: 7.1.1.43+dfsg1-1+deb13u7 Base version: imagemagick_7.1.1.43+dfsg1-1+deb13u7 Target version: imagemagick_7.1.1.43+dfsg1-1+deb13u8 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u8.dsc changelog | 59 +++++++++++++++++ patches/CVE-2026-32636.patch | 26 +++++++ patches/CVE-2026-33535.patch | 44 +++++++++++++ patches/CVE-2026-33536.patch | 43 +++++++++++++ patches/CVE-2026-33899.patch | 30 +++++++++ patches/CVE-2026-33900.patch | 31 +++++++++ patches/CVE-2026-33901.patch | 39 +++++++++++ patches/CVE-2026-33902.patch | 33 ++++++++++ patches/CVE-2026-33905.patch | 125 ++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-33908.patch | 120 ++++++++++++++++++++++++++++++++++++ patches/CVE-2026-34238.patch | 35 ++++++++++ patches/CVE-2026-40169.patch | 75 ++++++++++++++++++++++ patches/CVE-2026-40169_pre1.patch | 53 ++++++++++++++++ patches/CVE-2026-40183.patch | 53 ++++++++++++++++ patches/CVE-2026-40310.patch | 34 ++++++++++ patches/CVE-2026-40311.patch | 68 ++++++++++++++++++++ patches/CVE-2026-40312.patch | 28 ++++++++ patches/series | 16 ++++ 18 files changed, 912 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpprpz0o1r/imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpprpz0o1r/imagemagick_7.1.1.43+dfsg1-1+deb13u8.dsc: no acceptable signature found diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-03-15 23:43:38.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-04-22 14:06:47.000000000 +0000 @@ -1,3 +1,62 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u8) trixie-security; urgency=high + + * Fix CVE-2026-32636: + The NewXMLTree method contains a bug that could result + in a crash due to an out of write bounds of a single zero byte + * Fix CVE-2026-33535: + An out-of-bounds write of a zero byte exists in the X11 `display` + interaction path that could lead to a crash. + * Fix CVE-2026-33536: + Due to an incorrect return value on certain platforms a pointer is + incremented past the end of a buffer that is on the stack and + that could result in an out of bounds write. + * Fix CVE-2026-33899: + When `Magick` parses an XML file it is possible that a single + zero byte is written out of the bounds + * Fix CVE-2026-33900: + The viff encoder contains an integer truncation/wraparound issue + on 32-bit builds that could trigger an out of bounds heap write, + potentially causing a crash + * Fix CVE-2026-33901: + a heap buffer overflow occurs in the MVG decoder that + could result in an out of bounds write when processing a + crafted image. + * Fix CVE-2026-33902: + a stack overflow vulnerability in ImageMagick's FX expression + parser allows an attacker to crash the process by providing a + deeply nested expression. + * Fix CVE-2026-33905: + The -sample operation has an out of bounds read when + an specific offset is set through the `sample:offset` + define that could lead to an out of bounds read. + * Fix CVE-2026-33908: + Magick frees the memory of the XML tree via the `DestroyXMLTree()` + function; however, this process is executed recursively with no + depth limit imposed. When Magick processes an XML file with + deeply nested structures, it will exhaust the stack memory, + resulting in a Denial of Service (DoS) attack + * Fix CVE-2026-34238: + An integer overflow in the despeckle operation causes + a heap buffer overflow on 32-bit builds that will result + in an out of bounds write. + * Fix CVE-2026-40169: + A crafted image could result in an out of bounds heap write + when writing a yaml or json output, resulting in a crash. + * Fix CVE-2026-40183: + The JXL encoder has an heap write overflow when a user specifies + that the image should be encoded as 16 bit floats. + * Fix CVE-2026-40310: + A heap out-of-bounds write was found in the JP2 encoder when a user + specifies an invalid sampling index. + * Fix CVE-2026-40311: + A heap use-after-free vulnerability was found that can cause a + crash when reading and printing values from an invalid XMP profile. + * Fix CVE-2026-40312: + An off by one error in the MSL decoder could result in a crash + when a malicous MSL file is read. + + -- Bastien Roucariès Wed, 22 Apr 2026 16:06:47 +0200 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u7) trixie-security; urgency=high * Fix CVE-2026-28493: diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32636.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32636.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32636.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-32636.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Fri, 13 Mar 2026 09:57:46 +0100 +Subject: Corrected out of bounds write of a single zero byte + (GHSA-gc62-2v5p-qpmp) + +(cherry picked from commit 361b42c91d173cfb4bd8f39898c599feef6a1e55) + +origin: https://github.com/ImageMagick/ImageMagick/commit/361b42c91d173cfb4bd8f39898c599feef6a1e55 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gc62-2v5p-qpmp +--- + MagickCore/xml-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c +index 0cdaf6a..279d721 100644 +--- a/MagickCore/xml-tree.c ++++ b/MagickCore/xml-tree.c +@@ -1276,7 +1276,7 @@ static char *ConvertUTF16ToUTF8(const char *content,size_t *length) + } + } + *length=(size_t) j; +- utf8=(char *) ResizeQuantumMemory(utf8,*length,sizeof(*utf8)); ++ utf8=(char *) ResizeQuantumMemory(utf8,(*length+1),sizeof(*utf8)); + if (utf8 != (char *) NULL) + utf8[*length]='\0'; + return(utf8); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33535.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33535.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33535.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33535.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,44 @@ +From: Cristy +Date: Sat, 21 Mar 2026 12:09:33 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c + +An out-of-bounds write of a zero byte exists in the X11 `display` interaction path that +could lead to a crash + +(cherry picked from commit d3af057fb9d3666762ca3731c2360f544f607f88) + +origin: https://github.com/ImageMagick/ImageMagick/commit/d3af057fb9d3666762ca3731c2360f544f607f88 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c +--- + MagickCore/display.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/display.c b/MagickCore/display.c +index ce1fea8..024162d 100644 +--- a/MagickCore/display.c ++++ b/MagickCore/display.c +@@ -6704,14 +6704,21 @@ static DisplayCommand XImageWindowCommand(Display *display, + + if ((key_symbol >= XK_0) && (key_symbol <= XK_9)) + { ++ size_t ++ length; ++ + if (((last_symbol < XK_0) || (last_symbol > XK_9))) + { + *delta='\0'; + resource_info->quantum=1; + } + last_symbol=key_symbol; +- delta[strlen(delta)+1]='\0'; +- delta[strlen(delta)]=Digits[key_symbol-XK_0]; ++ length=strlen(delta); ++ if (length < MagickPathExtent) ++ { ++ delta[length]=Digits[key_symbol-XK_0]; ++ delta[length+1]='\0'; ++ } + resource_info->quantum=StringToLong(delta); + return(NullCommand); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33536.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33536.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33536.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33536.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,43 @@ +From: Cristy +Date: Fri, 20 Mar 2026 21:53:15 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8793-7xv6-82cf + +(cherry picked from commit ee4468a8ab0635fcaa9c561e583c56ada3b1b721) + +origin: https://github.com/ImageMagick/ImageMagick/commit/ee4468a8ab0635fcaa9c561e583c56ada3b1b721 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8793-7xv6-82cf +--- + MagickCore/image.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 34d20d7..ed77122 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1734,7 +1734,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + format_specifier[MagickPathExtent]; + + size_t +- length = cursor-specifier_start; ++ length = cursor-specifier_start, ++ pattern_length; + + ssize_t + count; +@@ -1743,10 +1744,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + "%%%.*s%c",(int) length,specifier_start,*cursor); + count=FormatLocaleString(pattern,sizeof(pattern),format_specifier, + value); +- if ((count <= 0) || ((p-filename+count) >= MagickPathExtent)) ++ pattern_length=strlen(pattern); ++ if ((count <= 0) || ((size_t) count != pattern_length)) ++ return(0); ++ if ((p-filename+pattern_length) >= MagickPathExtent) + return(0); + (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename)); +- p+=strlen(pattern); ++ p+=pattern_length; + cursor++; + continue; + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33899.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33899.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33899.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33899.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,30 @@ +From: Cristy +Date: Tue, 24 Mar 2026 11:33:21 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2 + +when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. + +(cherry picked from commit ae679e2fd19ec656bfab9f822ae4cf06bf91604d) + +origin: https://github.com/ImageMagick/ImageMagick/commit/ae679e2fd19ec656bfab9f822ae4cf06bf91604d +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2 +--- + MagickCore/xml-tree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c +index 279d721..325b9a1 100644 +--- a/MagickCore/xml-tree.c ++++ b/MagickCore/xml-tree.c +@@ -1905,8 +1905,8 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception) + "ParseError","UTF16 to UTF8 failed"); + return((XMLTreeInfo *) NULL); + } +- terminal=utf8[length-1]; +- utf8[length-1]='\0'; ++ terminal=utf8[MagickMax(length-1,0)]; ++ utf8[MagickMax(length-1,0)]='\0'; + p=utf8; + while ((*p != '\0') && (*p != '<')) + p++; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33900.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33900.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33900.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33900.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,31 @@ +From: Cristy +Date: Tue, 24 Mar 2026 08:02:57 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9 + +the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. + +(cherry picked from commit d27b840a61b322419a66d0d192ff56d52498148d) + +[backport] +- fix a typo in if + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9 +--- + coders/viff.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/viff.c b/coders/viff.c +index 79e001d..01ed52f 100644 +--- a/coders/viff.c ++++ b/coders/viff.c +@@ -1098,6 +1098,8 @@ static MagickBooleanType WriteVIFFImage(const ImageInfo *image_info, + /* + Convert MIFF to VIFF raster pixels. + */ ++ if (packets != (MagickSizeType) ((size_t) packets)) ++ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); + pixel_info=AcquireVirtualMemory((size_t) packets,sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,39 @@ +From: Cristy +Date: Tue, 24 Mar 2026 08:17:13 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww + +A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. + +(cherry picked from commit 4c72003e9e54a4ebaa938d239e75f5d285527ebe) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww +origin: https://github.com/ImageMagick/ImageMagick/commit/4c72003e9e54a4ebaa938d239e75f5d285527ebe +--- + MagickCore/draw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 2faa8f0..73d6397 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -3457,7 +3457,8 @@ static MagickBooleanType RenderMVGContent(Image *image, + break; + } + if ((q == (char *) NULL) || (*q == '\0') || +- (p == (char *) NULL) || ((q-4) < p)) ++ (p == (char *) NULL) || ((q-4) < p) || ++ ((q-p+4+1) > MagickPathExtent)) + { + status=MagickFalse; + break; +@@ -3568,7 +3569,8 @@ static MagickBooleanType RenderMVGContent(Image *image, + continue; + break; + } +- if ((q == (char *) NULL) || (p == (char *) NULL) || ((q-4) < p)) ++ if ((q == (char *) NULL) || (p == (char *) NULL) || ((q-4) < p) || ++ ((q-p+4+1) > MagickPathExtent)) + { + status=MagickFalse; + break; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33902.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33902.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33902.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33902.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,33 @@ +From: Cristy +Date: Tue, 24 Mar 2026 08:29:45 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw + +a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. + +(cherry picked from commit d3c0a37485314c5ccef72efb18f3847cd53868ba) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw +origin: https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba +--- + MagickCore/fx.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/MagickCore/fx.c b/MagickCore/fx.c +index aab518a..73b2420 100644 +--- a/MagickCore/fx.c ++++ b/MagickCore/fx.c +@@ -2608,6 +2608,13 @@ static MagickBooleanType TranslateExpression ( + ternary.addr_query = NULL_ADDRESS; + ternary.addr_colon = NULL_ADDRESS; + ++ if (pfx->teDepth >= MagickMaxRecursionDepth) { ++ (void) ThrowMagickException(pfx->exception, GetMagickModule(), OptionError, ++ "Expression too deeply nested", "(depth %i exceeds limit %i)", ++ pfx->teDepth, MagickMaxRecursionDepth); ++ return MagickFalse; ++ } ++ + pfx->teDepth++; + + *chLimit = '\0'; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33905.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33905.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33905.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33905.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,125 @@ +From: Cristy +Date: Tue, 24 Mar 2026 11:20:39 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pcvx-ph33-r5vv + +The -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. + +(cherry picked from commit cca607366fb38c2dde019a9088b8415ffba3a835) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pcvx-ph33-r5vv +origin: https://github.com/ImageMagick/ImageMagick/commit/cca607366fb38c2dde019a9088b8415ffba3a835 +--- + MagickCore/resize.c | 48 +++++++++++++++++++----------------------------- + 1 file changed, 19 insertions(+), 29 deletions(-) + +diff --git a/MagickCore/resize.c b/MagickCore/resize.c +index 99857c6..ba697ef 100644 +--- a/MagickCore/resize.c ++++ b/MagickCore/resize.c +@@ -3927,8 +3927,6 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + sample_offset; + + ssize_t +- j, +- *x_offset, + y; + + /* +@@ -3972,19 +3970,6 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + sample_offset.y=geometry_info.sigma/100.0-MagickEpsilon; + } + } +- /* +- Allocate scan line buffer and column offset buffers. +- */ +- x_offset=(ssize_t *) AcquireQuantumMemory((size_t) sample_image->columns, +- sizeof(*x_offset)); +- if (x_offset == (ssize_t *) NULL) +- { +- sample_image=DestroyImage(sample_image); +- ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); +- } +- for (j=0; j < (ssize_t) sample_image->columns; j++) +- x_offset[j]=(ssize_t) ((((double) j+sample_offset.x)*image->columns)/ +- sample_image->columns); + /* + Sample each row. + */ +@@ -3998,25 +3983,17 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + #endif + for (y=0; y < (ssize_t) sample_image->rows; y++) + { +- const Quantum +- *magick_restrict p; +- + Quantum + *magick_restrict q; + + ssize_t +- x, +- y_offset; ++ x; + + if (status == MagickFalse) + continue; +- y_offset=(ssize_t) ((((double) y+sample_offset.y)*image->rows)/ +- sample_image->rows); +- p=GetCacheViewVirtualPixels(image_view,0,y_offset,image->columns,1, +- exception); + q=QueueCacheViewAuthenticPixels(sample_view,0,y,sample_image->columns,1, + exception); +- if ((p == (const Quantum *) NULL) || (q == (Quantum *) NULL)) ++ if (q == (Quantum *) NULL) + { + status=MagickFalse; + continue; +@@ -4026,14 +4003,29 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + */ + for (x=0; x < (ssize_t) sample_image->columns; x++) + { ++ const Quantum ++ *magick_restrict p; ++ + ssize_t +- i; ++ i, ++ x_offset, ++ y_offset; + + if (GetPixelWriteMask(sample_image,q) <= (QuantumRange/2)) + { + q+=(ptrdiff_t) GetPixelChannels(sample_image); + continue; + } ++ x_offset=(ssize_t) ((((double) x+sample_offset.x)*image->columns)/ ++ sample_image->columns); ++ y_offset=(ssize_t) ((((double) y+sample_offset.y)*image->rows)/ ++ sample_image->rows); ++ p=GetCacheViewVirtualPixels(image_view,x_offset,y_offset,1,1,exception); ++ if (p == (const Quantum *) NULL) ++ { ++ status=MagickFalse; ++ break; ++ } + for (i=0; i < (ssize_t) GetPixelChannels(sample_image); i++) + { + PixelChannel +@@ -4049,8 +4041,7 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + if ((traits == UndefinedPixelTrait) || + (image_traits == UndefinedPixelTrait)) + continue; +- SetPixelChannel(sample_image,channel,p[x_offset[x]*(ssize_t) +- GetPixelChannels(image)+i],q); ++ SetPixelChannel(sample_image,channel,p[i],q); + } + q+=(ptrdiff_t) GetPixelChannels(sample_image); + } +@@ -4068,7 +4059,6 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + } + image_view=DestroyCacheView(image_view); + sample_view=DestroyCacheView(sample_view); +- x_offset=(ssize_t *) RelinquishMagickMemory(x_offset); + sample_image->type=image->type; + if (status == MagickFalse) + sample_image=DestroyImage(sample_image); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33908.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33908.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33908.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33908.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,120 @@ +From: Cristy +Date: Tue, 24 Mar 2026 11:18:42 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x + +Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; +however, this process is executed recursively with no depth limit imposed. +When Magick processes an XML file with deeply nested structures, it will exhaust +the stack memory, resulting in a Denial of Service (DoS) attack. + +(cherry picked from commit ccdc01180276aa2cb3d4a32a611aa4f417061cd8) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x +origin: https://github.com/ImageMagick/ImageMagick/commit/ccdc01180276aa2cb3d4a32a611aa4f417061cd8 +--- + MagickCore/xml-tree.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c +index 325b9a1..d0bc2af 100644 +--- a/MagickCore/xml-tree.c ++++ b/MagickCore/xml-tree.c +@@ -359,6 +359,9 @@ MagickPrivate char *CanonicalXMLContent(const char *content, + % + */ + ++static XMLTreeInfo ++ *DestroyXMLTree_(XMLTreeInfo *,const size_t); ++ + static char **DestroyXMLTreeAttributes(char **attributes) + { + ssize_t +@@ -383,35 +386,37 @@ static char **DestroyXMLTreeAttributes(char **attributes) + return((char **) NULL); + } + +-static void DestroyXMLTreeChild(XMLTreeInfo *xml_info) ++static void DestroyXMLTreeChild(XMLTreeInfo *xml_info, ++ const size_t depth) + { + XMLTreeInfo + *child, + *node; + + child=xml_info->child; +- while(child != (XMLTreeInfo *) NULL) ++ while (child != (XMLTreeInfo *) NULL) + { + node=child; + child=node->child; + node->child=(XMLTreeInfo *) NULL; +- (void) DestroyXMLTree(node); ++ (void) DestroyXMLTree_(node,depth+1); + } + } + +-static void DestroyXMLTreeOrdered(XMLTreeInfo *xml_info) ++static void DestroyXMLTreeOrdered(XMLTreeInfo *xml_info, ++ const size_t depth) + { + XMLTreeInfo + *node, + *ordered; + + ordered=xml_info->ordered; +- while(ordered != (XMLTreeInfo *) NULL) ++ while (ordered != (XMLTreeInfo *) NULL) + { + node=ordered; + ordered=node->ordered; + node->ordered=(XMLTreeInfo *) NULL; +- (void) DestroyXMLTree(node); ++ (void) DestroyXMLTree_(node,depth+1); + } + } + +@@ -476,15 +481,19 @@ static void DestroyXMLTreeRoot(XMLTreeInfo *xml_info) + } + } + +-MagickExport XMLTreeInfo *DestroyXMLTree(XMLTreeInfo *xml_info) ++static XMLTreeInfo *DestroyXMLTree_(XMLTreeInfo *xml_info, ++ const size_t depth) + { + assert(xml_info != (XMLTreeInfo *) NULL); + assert((xml_info->signature == MagickCoreSignature) || + (((XMLTreeRoot *) xml_info)->signature == MagickCoreSignature)); + if (IsEventLogging() != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"..."); +- DestroyXMLTreeChild(xml_info); +- DestroyXMLTreeOrdered(xml_info); ++ if (depth > MagickMaxRecursionDepth) ++ ThrowFatalException(ResourceLimitFatalError, ++ "MemoryAllocationFailed"); ++ DestroyXMLTreeChild(xml_info,depth+1); ++ DestroyXMLTreeOrdered(xml_info,depth+1); + DestroyXMLTreeRoot(xml_info); + xml_info->attributes=DestroyXMLTreeAttributes(xml_info->attributes); + xml_info->content=DestroyString(xml_info->content); +@@ -492,6 +501,11 @@ MagickExport XMLTreeInfo *DestroyXMLTree(XMLTreeInfo *xml_info) + xml_info=(XMLTreeInfo *) RelinquishMagickMemory(xml_info); + return((XMLTreeInfo *) NULL); + } ++ ++MagickExport XMLTreeInfo *DestroyXMLTree(XMLTreeInfo *xml_info) ++{ ++ return(DestroyXMLTree_(xml_info,0)); ++} + + /* + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +@@ -2024,7 +2038,7 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception) + } + else + { +- while((*p != '\0') && (*p != '/') && (*p != '>')) ++ while ((*p != '\0') && (*p != '/') && (*p != '>')) + p++; + } + if (*p == '/') diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-34238.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-34238.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-34238.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-34238.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,35 @@ +From: Cristy +Date: Wed, 25 Mar 2026 19:54:25 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-26qp-ffjh-2x4v + +an integer overflow in the despeckle operation causes a heap buffer overflow +on 32-bit builds that will result in an out of bounds write + +(cherry picked from commit bcd8519c70ecd9ebbc180920f2cf97b267d1f440) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-26qp-ffjh-2x4v +origin: https://github.com/ImageMagick/ImageMagick/commit/bcd8519c70ecd9ebbc180920f2cf97b267d1f440 +--- + MagickCore/effect.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/MagickCore/effect.c b/MagickCore/effect.c +index 1264fda..6b1d474 100644 +--- a/MagickCore/effect.c ++++ b/MagickCore/effect.c +@@ -1369,7 +1369,13 @@ MagickExport Image *DespeckleImage(const Image *image,ExceptionInfo *exception) + /* + Allocate image buffer. + */ +- length=(size_t) ((image->columns+2)*(image->rows+2)); ++ if ((image->columns > (MAGICK_SIZE_MAX-2)) || ++ (image->rows > (MAGICK_SIZE_MAX-2))) ++ { ++ despeckle_image=DestroyImage(despeckle_image); ++ ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); ++ } ++ length=(image->columns+2)*(image->rows+2); + pixel_info=AcquireVirtualMemory(length,sizeof(*pixels)); + buffer_info=AcquireVirtualMemory(length,sizeof(*buffer)); + if ((pixel_info == (MemoryInfo *) NULL) || diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,75 @@ +From: Cristy +Date: Wed, 8 Apr 2026 22:08:36 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5592-p365-24xh + +A crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. + +(cherry picked from commit f86452a8aea37bf2b4bd36127f836dcc5f138b38) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5592-p365-24xh +origin: https://github.com/ImageMagick/ImageMagick/commit/f86452a8aea37bf2b4bd36127f836dcc5f138b38 +--- + coders/json.c | 14 ++++++++------ + coders/yaml.c | 8 ++++---- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/coders/json.c b/coders/json.c +index 73c15ae..8cfee92 100644 +--- a/coders/json.c ++++ b/coders/json.c +@@ -1521,15 +1521,16 @@ static MagickBooleanType EncodeImageAttributes(Image *image,FILE *file, + image_info=AcquireImageInfo(); + (void) CloneString(&image_info->size,"64x64"); + (void) FormatLocaleFile(file," \"montageDirectory\": ["); +- p=image->directory; +- while (*p != '\0') ++ for (p=image->directory; *p != '\0'; p++) + { + q=p; +- while ((*q != '\xff') && (*q != '\0')) ++ while ((*q != '\xff') && (*q != '\0') && ++ ((size_t) (q-p) < sizeof(image_info->filename))) + q++; + (void) CopyMagickString(image_info->filename,p,(size_t) (q-p+1)); +- p=q+1; +- JSONFormatLocaleFile(file,"{\n \"name\": %s",image_info->filename); ++ p=q; ++ JSONFormatLocaleFile(file,"{\n \"name\": %s", ++ image_info->filename); + handler=SetWarningHandler((WarningHandler) NULL); + tile=ReadImage(image_info,exception); + (void) SetWarningHandler(handler); +@@ -1539,7 +1540,8 @@ static MagickBooleanType EncodeImageAttributes(Image *image,FILE *file, + continue; + } + (void) FormatLocaleFile(file,",\n \"info\": \"%.20gx%.20g %s\"", +- (double) tile->magick_columns,(double) tile->magick_rows,tile->magick); ++ (double) tile->magick_columns,(double) tile->magick_rows, ++ tile->magick); + (void) SignatureImage(tile,exception); + ResetImagePropertyIterator(tile); + property=GetNextImageProperty(tile); +diff --git a/coders/yaml.c b/coders/yaml.c +index 0d587fd..e41529c 100644 +--- a/coders/yaml.c ++++ b/coders/yaml.c +@@ -1511,14 +1511,14 @@ static MagickBooleanType EncodeImageAttributes(Image *image,FILE *file, + image_info=AcquireImageInfo(); + (void) CloneString(&image_info->size,"64x64"); + (void) FormatLocaleFile(file," montageDirectory: "); +- p=image->directory; +- while (*p != '\0') ++ for (p=image->directory; *p != '\0'; p++) + { + q=p; +- while ((*q != '\xff') && (*q != '\0')) ++ while ((*q != '\xff') && (*q != '\0') && ++ ((size_t) (q-p) < sizeof(image_info->filename))) + q++; + (void) CopyMagickString(image_info->filename,p,(size_t) (q-p+1)); +- p=q+1; ++ p=q; + YAMLFormatLocaleFile(file,"\n - name: %s", + image_info->filename); + handler=SetWarningHandler((WarningHandler) NULL); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40169_pre1.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,53 @@ +From: Jake Lodwick +Date: Mon, 2 Mar 2026 11:44:18 -0700 +Subject: Add overflow check to JXL write path (#8591) + +(cherry picked from commit c6b16f54864a065fa0b7878f3bfe1949cb1380ed) + +origin: https://github.com/ImageMagick/ImageMagick/commit/c6b16f54864a065fa0b7878f3bfe1949cb1380ed +bug: https://github.com/ImageMagick/ImageMagick/pull/8591 +--- + coders/jxl.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/coders/jxl.c b/coders/jxl.c +index 507aec5..b778fe5 100644 +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -954,7 +954,8 @@ static MagickBooleanType WriteJXLImage(const ImageInfo *image_info,Image *image, + memory_manager_info; + + size_t +- bytes_per_row; ++ bytes_per_row, ++ channels_size; + + unsigned char + *pixels; +@@ -1118,17 +1119,22 @@ static MagickBooleanType WriteJXLImage(const ImageInfo *image_info,Image *image, + /* + Write image as a JXL stream. + */ +- bytes_per_row=image->columns* +- (((image->alpha_trait & BlendPixelTrait) != 0) ? 4 : 3)* ++ channels_size=(((image->alpha_trait & BlendPixelTrait) != 0) ? 4 : 3)* + ((pixel_format.data_type == JXL_TYPE_FLOAT) ? sizeof(float) : + (pixel_format.data_type == JXL_TYPE_UINT16) ? sizeof(short) : + sizeof(char)); + if (IsGrayColorspace(image->colorspace) != MagickFalse) +- bytes_per_row=image->columns* +- (((image->alpha_trait & BlendPixelTrait) != 0) ? 2 : 1)* ++ channels_size=(((image->alpha_trait & BlendPixelTrait) != 0) ? 2 : 1)* + ((pixel_format.data_type == JXL_TYPE_FLOAT) ? sizeof(float) : + (pixel_format.data_type == JXL_TYPE_UINT16) ? sizeof(short) : + sizeof(char)); ++ if (HeapOverflowSanityCheck(image->columns,channels_size) != MagickFalse) ++ { ++ JxlThreadParallelRunnerDestroy(runner); ++ JxlEncoderDestroy(jxl_info); ++ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); ++ } ++ bytes_per_row=image->columns*channels_size; + pixel_info=AcquireVirtualMemory(bytes_per_row,image->rows*sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + { diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40183.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40183.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40183.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40183.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,53 @@ +From: Dirk Lemstra +Date: Thu, 9 Apr 2026 18:41:09 +0200 +Subject: Patch to correct the sample size for 16 bit floats in the JXL + encoder (GHSA-jvgr-9ph5-m8v4) + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/1c7767fc5f822c6edc104c1220d523e96fa20b5a +bug: https://github.com/advisories/GHSA-jvgr-9ph5-m8v4 +--- + coders/jxl.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/coders/jxl.c b/coders/jxl.c +index b778fe5..0cf0264 100644 +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -955,7 +955,8 @@ static MagickBooleanType WriteJXLImage(const ImageInfo *image_info,Image *image, + + size_t + bytes_per_row, +- channels_size; ++ channels_size, ++ sample_size; + + unsigned char + *pixels; +@@ -1119,15 +1120,19 @@ static MagickBooleanType WriteJXLImage(const ImageInfo *image_info,Image *image, + /* + Write image as a JXL stream. + */ +- channels_size=(((image->alpha_trait & BlendPixelTrait) != 0) ? 4 : 3)* +- ((pixel_format.data_type == JXL_TYPE_FLOAT) ? sizeof(float) : +- (pixel_format.data_type == JXL_TYPE_UINT16) ? sizeof(short) : +- sizeof(char)); ++ sample_size=sizeof(char); ++ if ((pixel_format.data_type == JXL_TYPE_FLOAT) || ++ (pixel_format.data_type == JXL_TYPE_FLOAT16)) ++ sample_size=sizeof(float); ++ else ++ if (pixel_format.data_type == JXL_TYPE_UINT16) ++ sample_size=sizeof(short); + if (IsGrayColorspace(image->colorspace) != MagickFalse) +- channels_size=(((image->alpha_trait & BlendPixelTrait) != 0) ? 2 : 1)* +- ((pixel_format.data_type == JXL_TYPE_FLOAT) ? sizeof(float) : +- (pixel_format.data_type == JXL_TYPE_UINT16) ? sizeof(short) : +- sizeof(char)); ++ channels_size=(((image->alpha_trait & BlendPixelTrait) != 0) ? 2U : 1U)* ++ sample_size; ++ else ++ channels_size=(((image->alpha_trait & BlendPixelTrait) != 0) ? 4U : 3U)* ++ sample_size + if (HeapOverflowSanityCheck(image->columns,channels_size) != MagickFalse) + { + JxlThreadParallelRunnerDestroy(runner); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40310.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40310.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40310.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40310.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,34 @@ +From: Cristy +Date: Thu, 9 Apr 2026 10:39:06 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh + +Imagemagick contains a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index + +(cherry picked from commit 3d653bea2df085c728a1c8f775808e1e9249dff9) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh +origin: https://github.com/ImageMagick/ImageMagick/commit/3d653bea2df085c728a1c8f775808e1e9249dff9 +--- + coders/jp2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/coders/jp2.c b/coders/jp2.c +index 8fb0692..1a5f575 100644 +--- a/coders/jp2.c ++++ b/coders/jp2.c +@@ -1103,10 +1103,12 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image, + + flags=ParseGeometry(image_info->sampling_factor,&geometry_info); + if ((flags & RhoValue) != 0) +- parameters->subsampling_dx=(int) geometry_info.rho; ++ parameters->subsampling_dx=(int) MagickMax( ++ geometry_info.rho,1.0); + parameters->subsampling_dy=parameters->subsampling_dx; + if ((flags & SigmaValue) != 0) +- parameters->subsampling_dy=(int) geometry_info.sigma; ++ parameters->subsampling_dy=(int) MagickMax( ++ geometry_info.sigma,1.0); + } + property=GetImageProperty(image,"comment",exception); + if (property != (const char *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40311.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40311.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40311.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40311.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,68 @@ +From: Cristy +Date: Thu, 9 Apr 2026 13:22:00 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7 + +a heap use-after-free vulnerability was found that can cause a crash when reading and printing values from an invalid XMP profile + +(cherry picked from commit 5facfecf1abb3fed46a08f614dcc43d1e548e20d) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7 +origin: https://github.com/ImageMagick/ImageMagick/commit/5facfecf1abb3fed46a08f614dcc43d1e548e20d +--- + MagickCore/property.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/MagickCore/property.c b/MagickCore/property.c +index 1d9e501..3fb1230 100644 +--- a/MagickCore/property.c ++++ b/MagickCore/property.c +@@ -1864,7 +1864,10 @@ static void GetXMPProperty(const Image *image,const char *property) + while (description != (XMLTreeInfo *) NULL) + { + char +- *xmp_namespace; ++ *property; ++ ++ size_t ++ property_length; + + node=GetXMLTreeChild(description,(const char *) NULL); + while (node != (XMLTreeInfo *) NULL) +@@ -1874,20 +1877,28 @@ static void GetXMPProperty(const Image *image,const char *property) + if ((child == (XMLTreeInfo *) NULL) && + (SkipXMPValue(content) == MagickFalse)) + { +- xmp_namespace=ConstantString(GetXMLTreeTag(node)); +- (void) SubstituteString(&xmp_namespace,"exif:","xmp:"); +- (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, +- xmp_namespace,ConstantString(content)); ++ property=ConstantString(GetXMLTreeTag(node)); ++ (void) SubstituteString(&property,"exif:","xmp:"); ++ property_length=strlen(property); ++ if ((property_length <= 2) || (*(property+(property_length-2)) != ':') || ++ (*(property+(property_length-1)) != '*')) ++ (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, ++ ConstantString(property),ConstantString(content)); ++ property=DestroyString(property); + } + while (child != (XMLTreeInfo *) NULL) + { + content=GetXMLTreeContent(child); + if (SkipXMPValue(content) == MagickFalse) + { +- xmp_namespace=ConstantString(GetXMLTreeTag(node)); +- (void) SubstituteString(&xmp_namespace,"exif:","xmp:"); +- (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, +- xmp_namespace,ConstantString(content)); ++ property=ConstantString(GetXMLTreeTag(node)); ++ (void) SubstituteString(&property,"exif:","xmp:"); ++ property_length=strlen(property); ++ if ((property_length <= 2) || (*(property+(property_length-2)) != ':') || ++ (*(property+(property_length-1)) != '*')) ++ (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, ++ ConstantString(property),ConstantString(content)); ++ property=DestroyString(property); + } + child=GetXMLTreeSibling(child); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40312.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40312.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40312.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-40312.patch 2026-04-22 10:38:04.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Thu, 9 Apr 2026 14:33:04 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5 + +an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5 +origin: https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d + +(cherry picked from commit 2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d) +--- + coders/msl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 6d5f29c..5bbdf04 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -272,7 +272,7 @@ static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image) + (msl_info->attributes[n] == (Image *) NULL)) + ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed") + if (msl_info->number_groups != 0) +- msl_info->group_info[msl_info->number_groups].numImages++; ++ msl_info->group_info[msl_info->number_groups-1].numImages++; + return(n); + } + diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-03-15 23:43:38.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-04-22 10:38:04.000000000 +0000 @@ -135,3 +135,19 @@ msl-fix_pre4.patch msl-svg-coder-port-to-7.1.2-16.patch msl-fix-post1.patch +CVE-2026-32636.patch +CVE-2026-33535.patch +CVE-2026-33536.patch +CVE-2026-33899.patch +CVE-2026-33900.patch +CVE-2026-33901.patch +CVE-2026-33902.patch +CVE-2026-33905.patch +CVE-2026-33908.patch +CVE-2026-34238.patch +CVE-2026-40169.patch +CVE-2026-40169_pre1.patch +CVE-2026-40183.patch +CVE-2026-40310.patch +CVE-2026-40311.patch +CVE-2026-40312.patch