ImageMagick: Fix CVE-2025-55298

Backport the fix for CVE-2025-55298 Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5] [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895] Add below patch to fix 0010-ImageMagick-Fix-CVE-2025-55298-1.patch 0010-ImageMagick-Fix-CVE-2025-55298-2.patch Add below support patch to fix 0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch 0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch 0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in> 2025-12-12 20:29:46 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-12 22:06:55 +0100
commit: 3a86962b263bb5ba4a7719854bfde87404e83f34 (patch)
tree: cce86f94c3ffc721e05cf7c741de4121270ecd8d
parent: a137e1075054e9c52b037bad1b5557c7618e3371 (diff)
download: meta-openembedded-3a86962b263bb5ba4a7719854bfde87404e83f34.tar.gz
6 files changed, 706 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..9e95b294e3
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,48 @@
+From 93bcbd44f4771227a9e637f69ddabb60e0e33b18 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Tue, 11 Nov 2025 14:34:12 +0530
+Subject: [PATCH 10/18] ImageMagick: Add support patch 1 to fix CVE-2025-55298
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/83caf59fce695fea0c5878e9f0d0b65e662cae66]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 346285165..f64e83645 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1640,21 +1640,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   char
+     *q;
+ 
+  const char
+    *p;
+
+   int
+     c;
+ 
+   MagickBooleanType
+     canonical;
+ 
+-  const char
+-    *p;
+-
+   ssize_t
+     offset;
+ 
+   canonical=MagickFalse;
+   offset=0;
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+  if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+    return(strlen(filename));
+   for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+   {
+     q=(char *) p+1;
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..a51bc1994b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,205 @@
+From 18f573cbd4767d9b51b23cde5b58945ae4e57243 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Tue, 11 Nov 2025 21:53:10 +0530
+Subject: [PATCH 11/18] ImageMagick: Add support patch-2 to fix CVE-2025-55298
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 134 +++++++++++++++++++--------------------------
+ 1 file changed, 55 insertions(+), 79 deletions(-)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index f64e83645..cd4de6df9 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   ExceptionInfo *exception)
+ {
+   char
+-    *q;
+    *p = filename,
+    pattern[MagickPathExtent];
+ 
+   const char
+-    *p;
+-
+-  int
+-    c;
+-
+-  MagickBooleanType
+-    canonical;
+-
+-  ssize_t
+-    offset;
+    *cursor = format;
+ 
+-  canonical=MagickFalse;
+-  offset=0;
+  /*
+    Start with a copy of the format string.
+  */
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
+-  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+   {
+-    q=(char *) p+1;
+-    if (*q == '%')
+    const char
+      *q = cursor;
+
+    ssize_t
+      offset = (ssize_t) (cursor-format);
+
+    cursor++;  /* move past '%' */
+    if (*cursor == '%')
+       {
+-        p++;
+        /*
+          Escaped %%.
+        */
+        cursor++;
+         continue;
+       }
+-    switch (*q)
+    /*
+      Skip padding digits like %03d.
+    */
+    if (*cursor == '0')
+      (void) strtol(cursor,(char **) &cursor,10);
+    switch (*cursor)
+     {
+       case 'd':
+       case 'o':
+@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         ssize_t
+           count;
+ 
+-        q++;
+-        c=(*q);
+-        *q='\0';
+-        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+-          (MagickPathExtent-(p-format-offset)),p,value);
+-        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
+        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+        if ((count <= 0) || (count >= MagickPathExtent))
+           return(0);
+-        offset+=(ssize_t) ((q-p)-count);
+-        *q=c;
+-        (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+-        canonical=MagickTrue;
+-        if (*(q-1) != '%')
+-          break;
+-        p++;
+        if ((offset+count) >= MagickPathExtent)
+          return(0);
+        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+          offset));
+        cursor++;
+         break;
+       }
+       case '[':
+       {
+-        char
+-          pattern[MagickPathExtent];
+-
+         const char
+-          *option;
+          *end = strchr(cursor,']'),
+          *option = (const char *) NULL;
+ 
+-        char
+-          *r;
+-
+-        ssize_t
+-          i;
+-
+-        ssize_t
+-          depth;
+        size_t
+          extent = (size_t) (end-cursor);
+ 
+         /*
+-          Image option.
+          Handle %[key:value];
+         */
+-        if (strchr(p,']') == (char *) NULL)
+        if (end == (const char *) NULL)
+           break;
+-        depth=1;
+-        r=q+1;
+-        for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
+-        {
+-          if (*r == '[')
+-            depth++;
+-          if (*r == ']')
+-            depth--;
+-          if (depth <= 0)
+-            break;
+-          pattern[i]=(*r++);
+-        }
+-        pattern[i]='\0';
+-        if (LocaleNCompare(pattern,"filename:",9) != 0)
+        if (extent >= sizeof(pattern))
+           break;
+-        option=(const char *) NULL;
+        (void) CopyMagickString(pattern,cursor,extent);
+        pattern[extent]='\0';
+         if (image != (Image *) NULL)
+           option=GetImageProperty(image,pattern,exception);
+-        if ((option == (const char *) NULL) && (image != (Image *) NULL))
+        if ((option == (const char *) NULL) && (image != (Image *)NULL))
+           option=GetImageArtifact(image,pattern);
+         if ((option == (const char *) NULL) &&
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+           break;
+-        q--;
+-        c=(*q);
+-        *q='\0';
+-        (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
+-          (MagickPathExtent-(p-format-offset)));
+-        offset+=strlen(pattern)-strlen(option)+3;
+-        *q=c;
+-        (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
+-        canonical=MagickTrue;
+-        if (*(q-1) != '%')
+-          break;
+-        p++;
+        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+          offset));
+        cursor=end+1;
+         break;
+       }
+       default:
+         break;
+     }
+   }
+-  if (canonical == MagickFalse)
+-    (void) CopyMagickString(filename,format,MagickPathExtent);
+-  else
+-    for (q=filename; *q != '\0'; q++)
+-      if ((*q == '%') && (*(q+1) == '%'))
+-        (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename)));
+  for (p=filename; *p != '\0'; )
+  {
+    /*
+      Replace "%%" with "%".
+    */
+    if ((*p == '%') && (*(p+1) == '%'))
+      (void) memmove(p,p+1,strlen(p));  /* shift left */
+    else
+      p++;
+  }
+   return(strlen(filename));
+ }
+ 
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..2f4e019132
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,103 @@
+From abc0b89e166c993ff766d3ff62b6d2be82f478f3 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 11:35:37 +0530
+Subject: [PATCH 12/18] ImageMagick: Add support patch-3 to fix CVE-2025-55298
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index cd4de6df9..1acf8edbd 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1647,6 +1647,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   /*
+     Start with a copy of the format string.
+   */
+  assert(format != (const char *) NULL);
+  assert(filename != (char *) NULL);
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
+@@ -1670,7 +1672,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     /*
+       Skip padding digits like %03d.
+     */
+-    if (*cursor == '0')
+    if (isdigit((int) ((unsigned char) *cursor)) != 0)
+       (void) strtol(cursor,(char **) &cursor,10);
+     switch (*cursor)
+     {
+@@ -1682,9 +1684,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+           count;
+ 
+         count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+-        if ((count <= 0) || (count >= MagickPathExtent))
+-          return(0);
+-        if ((offset+count) >= MagickPathExtent)
+        if ((count <= 0) || (count >= MagickPathExtent) ||
+            ((offset+count) >= MagickPathExtent))
+           return(0);
+         (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+           offset));
+@@ -1698,7 +1699,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+           *option = (const char *) NULL;
+ 
+         size_t
+-          extent = (size_t) (end-cursor);
+          extent = (size_t) (end-cursor-1),
+          option_length,
+          tail_length;
+ 
+         /*
+           Handle %[key:value];
+@@ -1707,19 +1710,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+           break;
+         if (extent >= sizeof(pattern))
+           break;
+-        (void) CopyMagickString(pattern,cursor,extent);
+        (void) CopyMagickString(pattern,cursor+1,extent+1);
+         pattern[extent]='\0';
+         if (image != (Image *) NULL)
+-          option=GetImageProperty(image,pattern,exception);
+-        if ((option == (const char *) NULL) && (image != (Image *)NULL))
+-          option=GetImageArtifact(image,pattern);
+          {
+            option=GetImageProperty(image,pattern,exception);
+            if (option == (const char *) NULL)
+              option=GetImageArtifact(image,pattern);
+          }
+         if ((option == (const char *) NULL) &&
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+           break;
+        option_length=strlen(option);
+        tail_length=strlen(end+1);
+        if ((offset+option_length+tail_length+1) > MagickPathExtent)
+          return(0);
+         (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+           offset));
+        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+          MagickPathExtent-offset-option_length-tail_length-1));
+         cursor=end+1;
+         break;
+       }
+@@ -1733,7 +1744,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+       Replace "%%" with "%".
+     */
+     if ((*p == '%') && (*(p+1) == '%'))
+-      (void) memmove(p,p+1,strlen(p));  /* shift left */
+      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
+     else
+       p++;
+   }
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
new file mode 100644
index 0000000000..95dda55623
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
@@ -0,0 +1,71 @@
+From 62f97a69edb936544604e669de25e4bf2a9e2f06 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 11:52:00 +0530
+Subject: [PATCH 13/18] ImageMagick: Fix CVE-2025-55298
+CVE: CVE-2025-55298
+This CVE fixed in two parts, this commit includes the first fix.
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 1acf8edbd..7a52236d8 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1633,6 +1633,31 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %    o exception: return any errors or warnings in this structure.
+ %
+ */
+
+static inline MagickBooleanType PercentNInvalidOperation(char *filename)
+{
+  MagickBooleanType
+    match = MagickFalse;
+
+  size_t
+    length = strlen(filename);
+
+  ssize_t
+    i;
+
+  for (i=0; i < (ssize_t) length-1; i++)
+  {
+    if ((filename[i] == '%') &&
+        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
+      {
+        filename[i]='?';
+        filename[i+1]='\?';
+        match=MagickTrue;
+      }
+  }
+  return(match);
+}
+
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   Image *image,const char *format,int value,char *filename,
+   ExceptionInfo *exception)
+@@ -1652,6 +1677,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
+  if (PercentNInvalidOperation(filename) != MagickFalse)
+    {
+      errno=EPERM;
+      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+        "InvalidArgument","`%s'",filename);
+      return(0);
+    }
+   while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+   {
+     const char
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
new file mode 100644
index 0000000000..c9cbf95c4d
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
@@ -0,0 +1,274 @@
+From b7e445241e43e3e919667d7244ccb99573cf951a Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 13:05:40 +0530
+Subject: [PATCH 14/18] ImageMagick: Fix CVE-2025-55298
+CVE: CVE-2025-55298
+This CVE fixed in two parts, this commit includes the second fix.
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 183 ++++++++++++++++++++++++---------------------
+ 1 file changed, 96 insertions(+), 87 deletions(-)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 7a52236d8..3e6fdd114 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %
+ %  A description of each parameter follows.
+ %
+-%    o image_info: the image info..
+%    o image_info: the image info.
+ %
+ %    o image: the image.
+ %
+@@ -1634,28 +1634,38 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %
+ */
+ 
+-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
+static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
+  const char *end)
+ {
+-  MagickBooleanType
+-    match = MagickFalse;
+-
+  char
+    specifier = end[-1];
+   size_t
+-    length = strlen(filename);
+    length = end-start;
+ 
+-  ssize_t
+-    i;
+  /*
+    Is this a valid format specifier?
+  */
+  if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
+    return(MagickFalse);
+  if ((length == 1) && (*start == specifier))
+    return(MagickTrue);
+  if (length >= 2)
+    {
+      size_t
+        i = 0;
+ 
+-  for (i=0; i < (ssize_t) length-1; i++)
+-  {
+-    if ((filename[i] == '%') &&
+-        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
+-      {
+-        filename[i]='?';
+-        filename[i+1]='\?';
+-        match=MagickTrue;
+-      }
+-  }
+-  return(match);
+      if (*start == '0')
+        {
+          if ((length >= 3) && (start[1] == '0'))
+            return(MagickFalse);
+          i=1;
+        }
+      for ( ; i < (length-1); i++)
+        if (isdigit((int) ((unsigned char) start[i])) == 0)
+          return(MagickFalse);
+      return(MagickTrue);
+    }
+  return(MagickFalse);
+ }
+ 
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+@@ -1669,82 +1679,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   const char
+     *cursor = format;
+ 
+-  /*
+-    Start with a copy of the format string.
+-  */
+   assert(format != (const char *) NULL);
+   assert(filename != (char *) NULL);
+-  (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+-    return(strlen(filename));
+-  if (PercentNInvalidOperation(filename) != MagickFalse)
+     {
+-      errno=EPERM;
+-      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+-        "InvalidArgument","`%s'",filename);
+-      return(0);
+      (void) CopyMagickString(filename,format,MagickPathExtent);
+      return(strlen(filename));
+     }
+-  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+  while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
+   {
+     const char
+-      *q = cursor;
+      *specifier_start,
+      *start;
+ 
+-    ssize_t
+-      offset = (ssize_t) (cursor-format);
+-
+-    cursor++;  /* move past '%' */
+    if (*cursor != '%')
+      {
+        *p++=(*cursor++);
+        continue;
+      }
+    start=cursor++;  /* Skip '%' */
+     if (*cursor == '%')
+       {
+-        /*
+-          Escaped %%.
+-        */
+        *p++='%';
+         cursor++;
+         continue;
+       }
+-    /*
+-      Skip padding digits like %03d.
+-    */
+-    if (isdigit((int) ((unsigned char) *cursor)) != 0)
+-      (void) strtol(cursor,(char **) &cursor,10);
+-    switch (*cursor)
+-    {
+-      case 'd':
+-      case 'o':
+-      case 'x':
+    specifier_start=cursor;
+    while (isdigit((int) ((unsigned char) *cursor)) != 0)
+      cursor++;
+    if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x'))
+       {
+-        ssize_t
+-          count;
+        const char
+          *specifier_end = cursor+1;
+ 
+-        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+-        if ((count <= 0) || (count >= MagickPathExtent) ||
+-            ((offset+count) >= MagickPathExtent))
+-          return(0);
+-        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+-          offset));
+-        cursor++;
+-        break;
+        if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse)
+          {
+            char
+              format_specifier[MagickPathExtent];
+
+            size_t
+              length = cursor-specifier_start;
+
+            ssize_t
+              count;
+
+            (void) snprintf(format_specifier,sizeof(format_specifier),
+              "%%%.*s%c",(int) length,specifier_start,*cursor);
+            count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
+              value);
+            if ((count <= 0) || ((p-filename+count) >= MagickPathExtent))
+              return(0);
+            (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
+            p+=strlen(pattern);
+            cursor++;
+            continue;
+          }
+        else
+          {
+            /*
+              Invalid specifier — treat as literal.
+            */
+            cursor=start;
+            *p++=(*cursor++);
+            continue;
+          }
+       }
+-      case '[':
+    if (*cursor == '[')
+       {
+         const char
+           *end = strchr(cursor,']'),
+           *option = (const char *) NULL;
+ 
+         size_t
+-          extent = (size_t) (end-cursor-1),
+-          option_length,
+-          tail_length;
+          extent,
+          option_length;
+ 
+-        /*
+-          Handle %[key:value];
+-        */
+         if (end == (const char *) NULL)
+-          break;
+          continue;
+        extent=(size_t) (end-cursor-1);
+         if (extent >= sizeof(pattern))
+-          break;
+          continue;
+         (void) CopyMagickString(pattern,cursor+1,extent+1);
+         pattern[extent]='\0';
+-        if (image != (Image *) NULL)
+        if (image != NULL)
+           {
+             option=GetImageProperty(image,pattern,exception);
+             if (option == (const char *) NULL)
+@@ -1754,32 +1771,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+-          break;
+          continue;
+         option_length=strlen(option);
+-        tail_length=strlen(end+1);
+-        if ((offset+option_length+tail_length+1) > MagickPathExtent)
+        if ((p-filename+option_length) >= MagickPathExtent)
+           return(0);
+-        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+-          offset));
+-        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+-          MagickPathExtent-offset-option_length-tail_length-1));
+        (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
+        p+=option_length;
+         cursor=end+1;
+-        break;
+        continue;
+       }
+-      default:
+-        break;
+-    }
+-  }
+-  for (p=filename; *p != '\0'; )
+-  {
+     /*
+-      Replace "%%" with "%".
+      Invalid or unsupported specifier — treat as literal.
+     */
+-    if ((*p == '%') && (*(p+1) == '%'))
+-      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
+-    else
+-      p++;
+    cursor=start;
+    if ((p-filename+1) >= MagickPathExtent)
+      return(0);
+    *p++=(*cursor++);
+   }
+  *p='\0';
+   return(strlen(filename));
+ }
+ 
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index 2cc67bd51b..586f4418af 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -36,6 +36,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
    file://0007-ImageMagick-Fix-CVE-2025-57803.patch \
    file://0008-ImageMagick-Fix-CVE-2025-57807.patch \
    file://0009-ImageMagick-Fix-CVE-2025-55154.patch \
+    file://0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch \
+    file://0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch \
+    file://0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch \
+    file://0010-ImageMagick-Fix-CVE-2025-55298-1.patch \
+    file://0010-ImageMagick-Fix-CVE-2025-55298-2.patch \
 "
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
author	Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>	2025-12-12 20:29:46 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-12 22:06:55 +0100
commit	3a86962b263bb5ba4a7719854bfde87404e83f34 (patch)
tree	cce86f94c3ffc721e05cf7c741de4121270ecd8d
parent	a137e1075054e9c52b037bad1b5557c7618e3371 (diff)
download	meta-openembedded-3a86962b263bb5ba4a7719854bfde87404e83f34.tar.gz