summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNaman Jain <nmjain23@gmail.com>2026-04-14 09:34:05 +0530
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-29 10:14:24 +0530
commit098a230565c965933efa4519c6919852098ff5a9 (patch)
treea014739b1a43a781a83f2a8bb720a696691e40b3
parent5124ac4a658899158f4a7a2ddf1d2ca931ec7d0e (diff)
downloadmeta-openembedded-098a230565c965933efa4519c6919852098ff5a9.tar.gz
imagemagick: Fix CVEs
Fix the following CVEs- CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795 CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799 CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966 CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970 CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987 CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284 CVE-2026-26983 Signed-off-by: Naman Jain <namanj1@kpit.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch30
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch29
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch60
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch32
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch46
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch344
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch143
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch109
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch42
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch34
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch39
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch37
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch322
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch56
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch38
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch39
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch63
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch139
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch57
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch77
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch67
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch42
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch44
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch50
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch49
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch33
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch31
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch41
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb28
29 files changed, 2121 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch
new file mode 100644
index 0000000000..abfa1f817c
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch
@@ -0,0 +1,30 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 23 Jan 2026 13:19:06 +0100
3Subject: Initialize the pixels with empty values to prevent possible heap
4 information disclosure (GHSA-96pc-27rx-pr36)
5
6(cherry picked from commit 51c9d33f4770cdcfa1a029199375d570af801c97)
7
8CVE: CVE-2026-24481
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/38872ec2a70084813883ea152f18497911823c18]
10
11origin: https://github.com/ImageMagick/ImageMagick/commit/51c9d33f4770cdcfa1a029199375d570af801c97
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/psd.c | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/coders/psd.c b/coders/psd.c
20index 050abcd..7e2b3eb 100644
21--- a/coders/psd.c
22+++ b/coders/psd.c
23@@ -1331,6 +1331,7 @@ static MagickBooleanType ReadPSDChannelZip(Image *image,
24 ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
25 image->filename);
26 }
27+ memset(pixels,0,count*sizeof(*pixels));
28 if (ReadBlob(image,compact_size,compact_pixels) != (ssize_t) compact_size)
29 {
30 pixels=(unsigned char *) RelinquishMagickMemory(pixels);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch
new file mode 100644
index 0000000000..025ff90c40
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch
@@ -0,0 +1,29 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Tue, 3 Feb 2026 22:06:12 +0100
3Subject: Fixed memory leak when writing MSL files (GHSA-gxcx-qjqp-8vjw)
4
5(cherry picked from commit 1e88fca11c7b8517100d518bc99bd8c474f02f88)
6
7CVE: CVE-2026-25638
8Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1e88fca11c7b8517100d518bc99bd8c474f02f88]
9
10origin: https://github.com/ImageMagick/ImageMagick/commit/1e88fca11c7b8517100d518bc99bd8c474f02f88
11bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gxcx-qjqp-8vjw
12
13Signed-off-by: Naman Jain <namanj1@kpit.com>
14---
15 coders/msl.c | 1 +
16 1 file changed, 1 insertion(+)
17
18diff --git a/coders/msl.c b/coders/msl.c
19index 43c4b73..9facbf2 100644
20--- a/coders/msl.c
21+++ b/coders/msl.c
22@@ -7887,6 +7887,7 @@ static MagickBooleanType WriteMSLImage(const ImageInfo *image_info,Image *image,
23 (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
24 msl_image=CloneImage(image,0,0,MagickTrue,exception);
25 status=ProcessMSLScript(image_info,&msl_image,exception);
26+ msl_image=DestroyImageList(msl_image);
27 return(status);
28 }
29 #endif
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch
new file mode 100644
index 0000000000..f67ab86ad1
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch
@@ -0,0 +1,60 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 6 Feb 2026 21:03:53 +0100
3Subject: Prevent out of bounds heap write in uhdr encoder
4 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h)
5
6(cherry picked from commit ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed)
7
8Subject: [PATCH] CVE-2026-25794
9CVE: CVE-2026-25794
10Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed]
11
12origin: https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed
13bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h
14
15Signed-off-by: Naman Jain <namanj1@kpit.com>
16---
17 coders/uhdr.c | 24 ++++++++++++++++--------
18 1 file changed, 16 insertions(+), 8 deletions(-)
19
20diff --git a/coders/uhdr.c b/coders/uhdr.c
21index 0a25676..a527465 100644
22--- a/coders/uhdr.c
23+++ b/coders/uhdr.c
24@@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info,
25 {
26 /* Classify image as hdr/sdr intent basing on depth */
27 int
28- bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
29-
30- int
31- aligned_width = image->columns + (image->columns & 1);
32-
33- int
34- aligned_height = image->rows + (image->rows & 1);
35+ bpp;
36
37 ssize_t
38- picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
39+ aligned_height,
40+ aligned_width;
41+
42+ size_t
43+ picSize;
44
45 void
46 *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL;
47
48+ if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) ||
49+ ((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0)))
50+ {
51+ (void) ThrowMagickException(exception,GetMagickModule(),ImageError,
52+ "WidthOrHeightExceedsLimit","%s",image->filename);
53+ goto next_image;
54+ }
55+ bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
56+ aligned_width = image->columns + (image->columns & 1);
57+ picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
58 if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace))
59 {
60 if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch
new file mode 100644
index 0000000000..c969c8d425
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch
@@ -0,0 +1,32 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 6 Feb 2026 21:16:10 +0100
3Subject: Fixed NULL pointer dereference in ReadSFWImage (GHSA-p33r-fqw2-rqmm)
4
5(cherry picked from commit 0c7d0b9671ae2616fca106dcada45536eb4df5dc)
6
7CVE: CVE-2026-25795
8Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/0c7d0b9671ae2616fca106dcada45536eb4df5dc]
9
10bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm
11origin: https://github.com/ImageMagick/ImageMagick/commit/0c7d0b9671ae2616fca106dcada45536eb4df5dc
12
13Signed-off-by: Naman Jain <namanj1@kpit.com>
14---
15 coders/sfw.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/coders/sfw.c b/coders/sfw.c
19index 22ebcd9..46c67b4 100644
20--- a/coders/sfw.c
21+++ b/coders/sfw.c
22@@ -317,9 +317,9 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception)
23 if ((unique_file == -1) || (file == (FILE *) NULL))
24 {
25 buffer=(unsigned char *) RelinquishMagickMemory(buffer);
26- read_info=DestroyImageInfo(read_info);
27 (void) CopyMagickString(image->filename,read_info->filename,
28 MagickPathExtent);
29+ read_info=DestroyImageInfo(read_info);
30 ThrowFileException(exception,FileOpenError,"UnableToCreateTemporaryFile",
31 image->filename);
32 image=DestroyImageList(image);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch
new file mode 100644
index 0000000000..7bd577b4dd
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch
@@ -0,0 +1,46 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 6 Feb 2026 21:10:47 +0100
3Subject: Prevent memory leak in early exits (GHSA-g2pr-qxjg-7r2w)
4
5(cherry picked from commit 93ad259ce4f6d641eea0bee73f374af90f35efc3)
6
7CVE: CVE-2026-25796
8Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/93ad259ce4f6d641eea0bee73f374af90f35efc3]
9
10origin: https://github.com/ImageMagick/ImageMagick/commit/93ad259ce4f6d641eea0bee73f374af90f35efc3
11bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w
12
13Signed-off-by: Naman Jain <namanj1@kpit.com>
14---
15 coders/stegano.c | 11 +++++++++--
16 1 file changed, 9 insertions(+), 2 deletions(-)
17
18diff --git a/coders/stegano.c b/coders/stegano.c
19index 111640a..5f91bd9 100644
20--- a/coders/stegano.c
21+++ b/coders/stegano.c
22@@ -150,15 +150,22 @@ static Image *ReadSTEGANOImage(const ImageInfo *image_info,
23 return(DestroyImage(image));
24 watermark->depth=MAGICKCORE_QUANTUM_DEPTH;
25 if (AcquireImageColormap(image,MaxColormapSize,exception) == MagickFalse)
26- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
27+ {
28+ watermark=DestroyImage(watermark);
29+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
30+ }
31 if (image_info->ping != MagickFalse)
32 {
33+ watermark=DestroyImage(watermark);
34 (void) CloseBlob(image);
35 return(GetFirstImageInList(image));
36 }
37 status=SetImageExtent(image,image->columns,image->rows,exception);
38 if (status == MagickFalse)
39- return(DestroyImageList(image));
40+ {
41+ watermark=DestroyImage(watermark);
42+ return(DestroyImageList(image));
43+ }
44 for (y=0; y < (ssize_t) image->rows; y++)
45 {
46 q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch
new file mode 100644
index 0000000000..295b686a91
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch
@@ -0,0 +1,344 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 6 Feb 2026 21:28:50 +0100
3Subject: Prevent code injection via PostScript header
4 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v)
5
6(cherry picked from commit 26088a83d71e9daa203d54a56fe3c31f3f85463d)
7
8CVE: CVE-2026-25797
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/26088a83d71e9daa203d54a56fe3c31f3f85463d]
10
11origin: backport, https://github.com/ImageMagick/ImageMagick/commit/26088a83d71e9daa203d54a56fe3c31f3f85463d
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/ps.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
17 coders/ps2.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
18 coders/ps3.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
19 3 files changed, 243 insertions(+), 3 deletions(-)
20
21diff --git a/coders/ps.c b/coders/ps.c
22index 8af2af7..3999cf9 100644
23--- a/coders/ps.c
24+++ b/coders/ps.c
25@@ -1086,6 +1086,82 @@ static inline unsigned char *PopHexPixel(const char hex_digits[][3],
26 return(pixels);
27 }
28
29+static inline void FilenameToTitle(const char *filename,char *title,
30+ const size_t extent)
31+{
32+ int
33+ depth = 0;
34+
35+ ssize_t
36+ i,
37+ offset = 0;
38+
39+ if (extent == 0)
40+ return;
41+ for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++)
42+ {
43+ unsigned char
44+ c = filename[i];
45+
46+ /*
47+ Only allow printable ASCII.
48+ */
49+ if ((c < 32) || (c > 126))
50+ {
51+ title[offset++]='_';
52+ continue;
53+ }
54+ /*
55+ Percent signs break DSC parsing.
56+ */
57+ if (c == '%')
58+ {
59+ title[offset++]='_';
60+ continue;
61+ }
62+ /*
63+ Parentheses must remain balanced.
64+ */
65+ if (c == '(')
66+ {
67+ depth++;
68+ title[offset++] = '(';
69+ continue;
70+ }
71+ if (c == ')')
72+ {
73+ if (depth <= 0)
74+ title[offset++]='_';
75+ else
76+ {
77+ depth--;
78+ title[offset++]=')';
79+ }
80+ continue;
81+ }
82+ /*
83+ Everything else is allowed.
84+ */
85+ title[offset++]=c;
86+ }
87+ /*
88+ If parentheses remain unbalanced, close them.
89+ */
90+ while ((depth > 0) && ((offset+1) < (ssize_t) extent)) {
91+ title[offset++]=')';
92+ depth--;
93+ }
94+ title[offset]='\0';
95+ /*
96+ Ensure non-empty result.
97+ */
98+ if (offset == 0)
99+ {
100+ (void) CopyMagickString(title,"Untitled",extent-1);
101+ title[extent-1]='\0';
102+ }
103+}
104+
105 static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image,
106 ExceptionInfo *exception)
107 {
108@@ -1554,6 +1630,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image,
109 text_size=(size_t) (MultilineCensus(value)*pointsize+12);
110 if (page == 1)
111 {
112+ char
113+ title[MagickPathExtent];
114+
115 /*
116 Output Postscript header.
117 */
118@@ -1564,8 +1643,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image,
119 MagickPathExtent);
120 (void) WriteBlobString(image,buffer);
121 (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n");
122+ FilenameToTitle(image->filename,title,MagickPathExtent);
123 (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: (%s)\n",
124- image->filename);
125+ title);
126 (void) WriteBlobString(image,buffer);
127 timer=GetMagickTime();
128 (void) FormatMagickTime(timer,sizeof(date),date);
129diff --git a/coders/ps2.c b/coders/ps2.c
130index f840782..10670a7 100644
131--- a/coders/ps2.c
132+++ b/coders/ps2.c
133@@ -225,6 +225,82 @@ static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info,
134 return(status);
135 }
136
137+static inline void FilenameToTitle(const char *filename,char *title,
138+ const size_t extent)
139+{
140+ int
141+ depth = 0;
142+
143+ ssize_t
144+ i,
145+ offset = 0;
146+
147+ if (extent == 0)
148+ return;
149+ for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++)
150+ {
151+ unsigned char
152+ c = filename[i];
153+
154+ /*
155+ Only allow printable ASCII.
156+ */
157+ if ((c < 32) || (c > 126))
158+ {
159+ title[offset++]='_';
160+ continue;
161+ }
162+ /*
163+ Percent signs break DSC parsing.
164+ */
165+ if (c == '%')
166+ {
167+ title[offset++]='_';
168+ continue;
169+ }
170+ /*
171+ Parentheses must remain balanced.
172+ */
173+ if (c == '(')
174+ {
175+ depth++;
176+ title[offset++] = '(';
177+ continue;
178+ }
179+ if (c == ')')
180+ {
181+ if (depth <= 0)
182+ title[offset++]='_';
183+ else
184+ {
185+ depth--;
186+ title[offset++]=')';
187+ }
188+ continue;
189+ }
190+ /*
191+ Everything else is allowed.
192+ */
193+ title[offset++]=c;
194+ }
195+ /*
196+ If parentheses remain unbalanced, close them.
197+ */
198+ while ((depth > 0) && ((offset+1) < (ssize_t) extent)) {
199+ title[offset++]=')';
200+ depth--;
201+ }
202+ title[offset]='\0';
203+ /*
204+ Ensure non-empty result.
205+ */
206+ if (offset == 0)
207+ {
208+ (void) CopyMagickString(title,"Untitled",extent-1);
209+ title[extent-1]='\0';
210+ }
211+}
212+
213 static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image,
214 ExceptionInfo *exception)
215 {
216@@ -547,6 +623,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image,
217 text_size=(size_t) (MultilineCensus(value)*pointsize+12);
218 if (page == 1)
219 {
220+ char
221+ title[MagickPathExtent];
222+
223 /*
224 Output Postscript header.
225 */
226@@ -557,8 +636,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image,
227 MagickPathExtent);
228 (void) WriteBlobString(image,buffer);
229 (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n");
230+ FilenameToTitle(image->filename,title,MagickPathExtent);
231 (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: (%s)\n",
232- image->filename);
233+ title);
234 (void) WriteBlobString(image,buffer);
235 timer=GetMagickTime();
236 (void) FormatMagickTime(timer,sizeof(date),date);
237diff --git a/coders/ps3.c b/coders/ps3.c
238index d3e870c..b135b46 100644
239--- a/coders/ps3.c
240+++ b/coders/ps3.c
241@@ -203,6 +203,82 @@ ModuleExport void UnregisterPS3Image(void)
242 %
243 */
244
245+static inline void FilenameToTitle(const char *filename,char *title,
246+ const size_t extent)
247+{
248+ int
249+ depth = 0;
250+
251+ ssize_t
252+ i,
253+ offset = 0;
254+
255+ if (extent == 0)
256+ return;
257+ for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++)
258+ {
259+ unsigned char
260+ c = filename[i];
261+
262+ /*
263+ Only allow printable ASCII.
264+ */
265+ if ((c < 32) || (c > 126))
266+ {
267+ title[offset++]='_';
268+ continue;
269+ }
270+ /*
271+ Percent signs break DSC parsing.
272+ */
273+ if (c == '%')
274+ {
275+ title[offset++]='_';
276+ continue;
277+ }
278+ /*
279+ Parentheses must remain balanced.
280+ */
281+ if (c == '(')
282+ {
283+ depth++;
284+ title[offset++] = '(';
285+ continue;
286+ }
287+ if (c == ')')
288+ {
289+ if (depth <= 0)
290+ title[offset++]='_';
291+ else
292+ {
293+ depth--;
294+ title[offset++]=')';
295+ }
296+ continue;
297+ }
298+ /*
299+ Everything else is allowed.
300+ */
301+ title[offset++]=c;
302+ }
303+ /*
304+ If parentheses remain unbalanced, close them.
305+ */
306+ while ((depth > 0) && ((offset+1) < (ssize_t) extent)) {
307+ title[offset++]=')';
308+ depth--;
309+ }
310+ title[offset]='\0';
311+ /*
312+ Ensure non-empty result.
313+ */
314+ if (offset == 0)
315+ {
316+ (void) CopyMagickString(title,"Untitled",extent-1);
317+ title[extent-1]='\0';
318+ }
319+}
320+
321 static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info,
322 Image *image,Image *inject_image,ExceptionInfo *exception)
323 {
324@@ -1007,6 +1083,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image,
325 is_gray=IdentifyImageCoderGray(image,exception);
326 if (page == 1)
327 {
328+ char
329+ title[MagickPathExtent];
330+
331 /*
332 Postscript header on the first page.
333 */
334@@ -1019,8 +1098,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image,
335 (void) FormatLocaleString(buffer,MagickPathExtent,
336 "%%%%Creator: ImageMagick %s\n",MagickLibVersionText);
337 (void) WriteBlobString(image,buffer);
338+ FilenameToTitle(image->filename,title,MagickPathExtent);
339 (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: %s\n",
340- image->filename);
341+ title);
342 (void) WriteBlobString(image,buffer);
343 timer=GetMagickTime();
344 (void) FormatMagickTime(timer,sizeof(date),date);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch
new file mode 100644
index 0000000000..a1872b7ee9
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch
@@ -0,0 +1,143 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 20 Feb 2026 14:08:15 +0100
3Subject: Properly escape the strings that are written as raw html
4 (GHSA-rw6c-xp26-225v)
5
6(cherry picked from commit 81129f79ad622ff4c1d729828a34ab0f49ec89f6)
7
8CVE: CVE-2026-25797
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/81129f79ad622ff4c1d729828a34ab0f49ec89f6]
10
11origin: https://github.com/ImageMagick/ImageMagick/commit/81129f79ad622ff4c1d729828a34ab0f49ec89f6
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/html.c | 65 +++++++++++++++++++++++++++++++++++------------------------
17 1 file changed, 39 insertions(+), 26 deletions(-)
18
19diff --git a/coders/html.c b/coders/html.c
20index 739cb12..1e171cb 100644
21--- a/coders/html.c
22+++ b/coders/html.c
23@@ -204,6 +204,21 @@ ModuleExport void UnregisterHTMLImage(void)
24 %
25 */
26
27+static void WriteHtmlEncodedString(Image *image,const char* value)
28+{
29+ char
30+ *encoded_value;
31+
32+ encoded_value=AcquireString(value);
33+ (void) SubstituteString(&encoded_value,"<","&lt;");
34+ (void) SubstituteString(&encoded_value,">","&gt;");
35+ (void) SubstituteString(&encoded_value,"&","&amp;");
36+ (void) SubstituteString(&encoded_value,"\"","&quot;");
37+ (void) SubstituteString(&encoded_value,"'","&apos;");
38+ WriteBlobString(image,encoded_value);
39+ encoded_value=DestroyString(encoded_value);
40+}
41+
42 static ssize_t WriteURLComponent(Image *image,const int c)
43 {
44 char
45@@ -318,29 +333,29 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info,
46 "\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n");
47 (void) WriteBlobString(image,"<html>\n");
48 (void) WriteBlobString(image,"<head>\n");
49+ (void) WriteBlobString(image,"<title>");
50 value=GetImageProperty(image,"label",exception);
51 if (value != (const char *) NULL)
52- (void) FormatLocaleString(buffer,MagickPathExtent,"<title>%s</title>\n",
53- value);
54+ WriteHtmlEncodedString(image,value);
55 else
56 {
57 GetPathComponent(filename,BasePath,basename);
58- (void) FormatLocaleString(buffer,MagickPathExtent,
59- "<title>%s</title>\n",basename);
60+ WriteHtmlEncodedString(image,basename);
61 }
62- (void) WriteBlobString(image,buffer);
63+ (void) WriteBlobString(image,"</title>\n");
64 (void) WriteBlobString(image,"</head>\n");
65 (void) WriteBlobString(image,"<body style=\"text-align: center;\">\n");
66- (void) FormatLocaleString(buffer,MagickPathExtent,"<h1>%s</h1>\n",
67- image->filename);
68- (void) WriteBlobString(image,buffer);
69+ (void) WriteBlobString(image,"<h1>");
70+ WriteHtmlEncodedString(image,image->filename);
71+ (void) WriteBlobString(image,"</h1>");
72 (void) WriteBlobString(image,"<div>\n");
73 (void) CopyMagickString(filename,image->filename,MagickPathExtent);
74 AppendImageFormat("png",filename);
75- (void) FormatLocaleString(buffer,MagickPathExtent,"<img usemap=\"#%s\" "
76- "src=\"%s\" style=\"border: 0;\" alt=\"Image map\" />\n",mapname,
77- filename);
78- (void) WriteBlobString(image,buffer);
79+ (void) WriteBlobString(image,"<img usemap=\"#");
80+ WriteHtmlEncodedString(image,mapname);
81+ (void) WriteBlobString(image,"\" src=\"");
82+ WriteHtmlEncodedString(image,filename);
83+ (void) WriteBlobString(image,"\" style=\"border: 0;\" alt=\"Image map\" />\n");
84 /*
85 Determine the size and location of each image tile.
86 */
87@@ -350,18 +365,18 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info,
88 /*
89 Write an image map.
90 */
91- (void) FormatLocaleString(buffer,MagickPathExtent,
92- "<map id=\"%s\" name=\"%s\">\n",mapname,mapname);
93- (void) WriteBlobString(image,buffer);
94- (void) FormatLocaleString(buffer,MagickPathExtent," <area href=\"%s",
95- url);
96- (void) WriteBlobString(image,buffer);
97+ (void) WriteBlobString(image,"<map id=\"");
98+ WriteHtmlEncodedString(image,mapname);
99+ (void) WriteBlobString(image,"\" name=\"");
100+ WriteHtmlEncodedString(image,mapname);
101+ (void) WriteBlobString(image,"\">\n<area href=\"");
102+ WriteHtmlEncodedString(image,url);
103 if (image->directory == (char *) NULL)
104 {
105+ WriteHtmlEncodedString(image,image->filename);
106 (void) FormatLocaleString(buffer,MagickPathExtent,
107- "%s\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n",
108- image->filename,(double) geometry.width-1,(double) geometry.height-
109- 1);
110+ "\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n",
111+ (double) geometry.width-1,(double) geometry.height-1);
112 (void) WriteBlobString(image,buffer);
113 }
114 else
115@@ -378,9 +393,9 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info,
116 (void) WriteBlobString(image,buffer);
117 if (*(p+1) != '\0')
118 {
119- (void) FormatLocaleString(buffer,MagickPathExtent,
120- " <area href=%s\"",url);
121- (void) WriteBlobString(image,buffer);
122+ (void) WriteBlobString(image," <area href=\"");
123+ WriteHtmlEncodedString(image,url);
124+ (void) WriteBlobString(image,"\"");
125 }
126 geometry.x+=(ssize_t) geometry.width;
127 if ((geometry.x+4) >= (ssize_t) image->columns)
128@@ -390,7 +405,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info,
129 }
130 }
131 (void) WriteBlobString(image,"</map>\n");
132- (void) CopyMagickString(filename,image->filename,MagickPathExtent);
133 (void) WriteBlobString(image,"</div>\n");
134 (void) WriteBlobString(image,"</body>\n");
135 (void) WriteBlobString(image,"</html>\n");
136@@ -398,7 +412,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info,
137 /*
138 Write the image as PNG.
139 */
140- (void) CopyMagickString(image->filename,filename,MagickPathExtent);
141 AppendImageFormat("png",image->filename);
142 next=GetNextImageInList(image);
143 image->next=NewImageList();
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch
new file mode 100644
index 0000000000..18758b625b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch
@@ -0,0 +1,109 @@
1From: Cristy <urban-warrior@imagemagick.org>
2From: Naman Jain <namanj1@kpit.com>
3Date: Sun, 1 Feb 2026 14:56:14 -0500
4Subject: [PATCH] CVE-2026-25798
5https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4
6
7a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service.
8
9(cherry picked from commit 16dd3158ce197c6f65e7798a7a5cc4538bb0303e)
10
11CVE: CVE-2026-25798
12Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/16dd3158ce197c6f65e7798a7a5cc4538bb0303e]
13
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4
15origin: https://github.com/ImageMagick/ImageMagick/commit/16dd3158ce197c6f65e7798a7a5cc4538bb0303e
16
17Signed-off-by: Naman Jain <namanj1@kpit.com>
18---
19 MagickCore/cache.c | 37 +++++++++++++++++++++++++++++++++----
20 coders/sixel.c | 4 ++--
21 2 files changed, 35 insertions(+), 6 deletions(-)
22
23diff --git a/MagickCore/cache.c b/MagickCore/cache.c
24index 8df6945..5a36189 100644
25--- a/MagickCore/cache.c
26+++ b/MagickCore/cache.c
27@@ -3500,6 +3500,25 @@ static MagickBooleanType MaskPixelCacheNexus(Image *image,NexusInfo *nexus_info,
28 %
29 */
30
31+static inline MagickBooleanType CacheOverflowSanityCheckGetSize(
32+ const MagickSizeType count,const size_t quantum,MagickSizeType *const extent)
33+{
34+ MagickSizeType
35+ length;
36+
37+ if ((count == 0) || (quantum == 0))
38+ return(MagickTrue);
39+ length=count*quantum;
40+ if (quantum != (length/count))
41+ {
42+ errno=ENOMEM;
43+ return(MagickTrue);
44+ }
45+ if (extent != NULL)
46+ *extent=length;
47+ return(MagickFalse);
48+}
49+
50 static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info,
51 const MapMode mode)
52 {
53@@ -3650,7 +3669,7 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode,
54 status;
55
56 MagickSizeType
57- length,
58+ length = 0,
59 number_pixels;
60
61 size_t
62@@ -3723,12 +3742,22 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode,
63 packet_size=MagickMax(cache_info->number_channels,1)*sizeof(Quantum);
64 if (image->metacontent_extent != 0)
65 packet_size+=cache_info->metacontent_extent;
66- length=number_pixels*packet_size;
67+ if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse)
68+ {
69+ cache_info->storage_class=UndefinedClass;
70+ cache_info->length=0;
71+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
72+ image->filename);
73+ }
74 columns=(size_t) (length/cache_info->rows/packet_size);
75 if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) ||
76 ((ssize_t) cache_info->rows < 0))
77- ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
78- image->filename);
79+ {
80+ cache_info->storage_class=UndefinedClass;
81+ cache_info->length=0;
82+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
83+ image->filename);
84+ }
85 cache_info->length=length;
86 if (image->ping != MagickFalse)
87 {
88diff --git a/coders/sixel.c b/coders/sixel.c
89index 08ca474..11d857d 100644
90--- a/coders/sixel.c
91+++ b/coders/sixel.c
92@@ -544,7 +544,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
93 if (max_x < position_x)
94 max_x = position_x;
95 if (max_y < (position_y + i))
96- max_y = position_y + i;
97+ max_y = (int) (position_y + i);
98 }
99 sixel_vertical_mask <<= 1;
100 }
101@@ -577,7 +577,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
102 if (max_x < (position_x+repeat_count-1))
103 max_x = position_x+repeat_count-1;
104 if (max_y < (position_y+i+n-1))
105- max_y = position_y+i+n-1;
106+ max_y = (int) (position_y+i+n-1);
107 i+=(n-1);
108 sixel_vertical_mask <<= (n-1);
109 }
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch
new file mode 100644
index 0000000000..8dc511d2a4
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch
@@ -0,0 +1,42 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sat, 31 Jan 2026 12:56:17 -0500
3Subject: [PATCH] CVE-2026-25798
4https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6
5
6a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service.
7
8(cherry picked from commit 412f3c8bc1d3b6890aad72376cd992c9b5177037)
9
10CVE: CVE-2026-25799
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/412f3c8bc1d3b6890aad72376cd992c9b5177037]
12
13origin: https://github.com/ImageMagick/ImageMagick/commit/412f3c8bc1d3b6890aad72376cd992c9b5177037
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/yuv.c | 4 ++--
19 1 file changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/coders/yuv.c b/coders/yuv.c
22index a1d5bf1..1817c43 100644
23--- a/coders/yuv.c
24+++ b/coders/yuv.c
25@@ -165,7 +165,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
26 vertical_factor=horizontal_factor;
27 if ((flags & SigmaValue) != 0)
28 vertical_factor=(ssize_t) geometry_info.sigma;
29- if ((horizontal_factor != 1) && (horizontal_factor != 2) &&
30+ if ((horizontal_factor != 1) && (horizontal_factor != 2) ||
31 (vertical_factor != 1) && (vertical_factor != 2))
32 ThrowReaderException(CorruptImageError,"UnexpectedSamplingFactor");
33 }
34@@ -670,7 +670,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image,
35 vertical_factor=horizontal_factor;
36 if ((flags & SigmaValue) != 0)
37 vertical_factor=(ssize_t) geometry_info.sigma;
38- if ((horizontal_factor != 1) && (horizontal_factor != 2) &&
39+ if ((horizontal_factor != 1) && (horizontal_factor != 2) ||
40 (vertical_factor != 1) && (vertical_factor != 2))
41 ThrowWriterException(CorruptImageError,"UnexpectedSamplingFactor");
42 }
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch
new file mode 100644
index 0000000000..f1db20a6ad
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch
@@ -0,0 +1,34 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 6 Feb 2026 22:21:19 +0100
3Subject: Added extra check to prevent out of bounds heap write on 32-bit
4 systems (GHSA-6j5f-24fw-pqp4)
5
6(cherry picked from commit 23fde73188ea32c15b607571775d4f92bdb75e60)
7
8CVE: CVE-2026-25897
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/23fde73188ea32c15b607571775d4f92bdb75e60]
10
11origin: https://github.com/ImageMagick/ImageMagick/commit/23fde73188ea32c15b607571775d4f92bdb75e60
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6j5f-24fw-pqp4
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/sun.c | 5 +++++
17 1 file changed, 5 insertions(+)
18
19diff --git a/coders/sun.c b/coders/sun.c
20index f1452c5..76d7607 100644
21--- a/coders/sun.c
22+++ b/coders/sun.c
23@@ -470,6 +470,11 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
24 sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
25 ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
26 }
27+ if (image->rows > (MAGICK_SIZE_MAX - pixels_length))
28+ {
29+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
30+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
31+ }
32 sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length+image->rows,
33 sizeof(*sun_pixels));
34 if (sun_pixels == (unsigned char *) NULL)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch
new file mode 100644
index 0000000000..8e68732131
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch
@@ -0,0 +1,39 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Fri, 6 Feb 2026 20:55:43 +0100
3Subject: Fixed out of bound read with negative pixel index
4 (GHSA-vpxv-r9pg-7gpr)
5
6(cherry picked from commit c9c87dbaba56bf82aebd3392e11f0ffd93709b12)
7
8CVE: CVE-2026-25898
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12]
10
11origin: https://github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/uil.c | 7 +++++--
17 1 file changed, 5 insertions(+), 2 deletions(-)
18
19diff --git a/coders/uil.c b/coders/uil.c
20index 74c45c7..ffcab49 100644
21--- a/coders/uil.c
22+++ b/coders/uil.c
23@@ -352,11 +352,14 @@ static MagickBooleanType WriteUILImage(const ImageInfo *image_info,Image *image,
24 for (x=0; x < (ssize_t) image->columns; x++)
25 {
26 k=((ssize_t) GetPixelIndex(image,p) % MaxCixels);
27+ if (k < 0)
28+ k=0;
29 symbol[0]=Cixel[k];
30 for (j=1; j < (int) characters_per_pixel; j++)
31 {
32- k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) %
33- MaxCixels;
34+ k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels;
35+ if (k < 0)
36+ k=0;
37 symbol[j]=Cixel[k];
38 }
39 symbol[j]='\0';
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch
new file mode 100644
index 0000000000..563d5612b0
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch
@@ -0,0 +1,37 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Sun, 8 Feb 2026 14:15:46 +0100
3Subject: Fixed out of bound read with negative pixel index
4 (GHSA-vpxv-r9pg-7gpr)
5
6(cherry picked from commit 21525d8f27b86e8063fe359616086fd6b71eb05b)
7
8CVE: CVE-2026-25898
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/21525d8f27b86e8063fe359616086fd6b71eb05b]
10
11origin: https://github.com/ImageMagick/ImageMagick/commit/21525d8f27b86e8063fe359616086fd6b71eb05b
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/xpm.c | 4 ++++
17 1 file changed, 4 insertions(+)
18
19diff --git a/coders/xpm.c b/coders/xpm.c
20index 1dda89f..4a77b48 100644
21--- a/coders/xpm.c
22+++ b/coders/xpm.c
23@@ -1131,10 +1131,14 @@ static MagickBooleanType WriteXPMImage(const ImageInfo *image_info,Image *image,
24 for (x=0; x < (ssize_t) image->columns; x++)
25 {
26 k=((ssize_t) GetPixelIndex(image,p) % MaxCixels);
27+ if (k < 0)
28+ k=0;
29 symbol[0]=Cixel[k];
30 for (j=1; j < (ssize_t) characters_per_pixel; j++)
31 {
32 k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels;
33+ if (k < 0)
34+ k=0;
35 symbol[j]=Cixel[k];
36 }
37 symbol[j]='\0';
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch
new file mode 100644
index 0000000000..d57b62e83a
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch
@@ -0,0 +1,322 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Tue, 3 Feb 2026 21:09:59 +0100
3Subject: Prevent path traversal of paths that are blocked in the security
4 policy (GHSA-8jvj-p28h-9gm7)
5
6(cherry picked from commit 4a9dc1075dcad3ab0579e1b37dbe854c882699a5)
7
8CVE: CVE-2026-25965
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/4a9dc1075dcad3ab0579e1b37dbe854c882699a5]
10
11origin: backport, https://github.com/ImageMagick/ImageMagick/commit/4a9dc1075dcad3ab0579e1b37dbe854c882699a5
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 MagickCore/module.c | 11 +++--
17 MagickCore/policy.c | 39 ++++++++++-----
18 MagickCore/token.c | 2 +
19 MagickCore/utility-private.h | 115 +++++++++++++++++++++++++++++++++++++++++++
20 MagickCore/utility.c | 28 +++++++----
21 5 files changed, 169 insertions(+), 26 deletions(-)
22
23diff --git a/MagickCore/module.c b/MagickCore/module.c
24index e36214d..5332a71 100644
25--- a/MagickCore/module.c
26+++ b/MagickCore/module.c
27@@ -584,15 +584,16 @@ static MagickBooleanType GetMagickModulePath(const char *filename,
28 (void) ConcatenateMagickString(path,DirectorySeparator,
29 MagickPathExtent);
30 (void) ConcatenateMagickString(path,filename,MagickPathExtent);
31-#if defined(MAGICKCORE_HAVE_REALPATH)
32 {
33 char
34- resolved_path[PATH_MAX+1];
35+ *real_path = realpath_utf8(path);
36
37- if (realpath(path,resolved_path) != (char *) NULL)
38- (void) CopyMagickString(path,resolved_path,MagickPathExtent);
39+ if (real_path != (char *) NULL)
40+ {
41+ (void) CopyMagickString(path,real_path,MagickPathExtent);
42+ real_path=DestroyString(real_path);
43+ }
44 }
45-#endif
46 if (IsPathAccessible(path) != MagickFalse)
47 {
48 module_path=DestroyString(module_path);
49diff --git a/MagickCore/policy.c b/MagickCore/policy.c
50index 8cfcee0..0e036c0 100644
51--- a/MagickCore/policy.c
52+++ b/MagickCore/policy.c
53@@ -640,6 +640,9 @@ static MagickBooleanType IsPolicyCacheInstantiated(ExceptionInfo *exception)
54 MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain,
55 const PolicyRights rights,const char *pattern)
56 {
57+ char
58+ *real_pattern = (char *) NULL;
59+
60 const PolicyInfo
61 *policy_info;
62
63@@ -647,7 +650,8 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain,
64 *exception;
65
66 MagickBooleanType
67- authorized;
68+ authorized,
69+ match;
70
71 ElementInfo
72 *p;
73@@ -671,22 +675,33 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain,
74 *policy;
75
76 policy=(const PolicyInfo *) p->value;
77- if ((policy->domain == domain) &&
78- (GlobExpression(pattern,policy->pattern,MagickFalse) != MagickFalse))
79+ if (policy->domain == domain)
80 {
81- if ((rights & ReadPolicyRights) != 0)
82- authorized=(policy->rights & ReadPolicyRights) != 0 ? MagickTrue :
83- MagickFalse;
84- if ((rights & WritePolicyRights) != 0)
85- authorized=(policy->rights & WritePolicyRights) != 0 ? MagickTrue :
86- MagickFalse;
87- if ((rights & ExecutePolicyRights) != 0)
88- authorized=(policy->rights & ExecutePolicyRights) != 0 ? MagickTrue :
89- MagickFalse;
90+ if ((policy->domain == PathPolicyDomain) &&
91+ (real_pattern == (const char *) NULL))
92+ real_pattern=realpath_utf8(pattern);
93+ if (real_pattern != (char*) NULL)
94+ match=GlobExpression(real_pattern,policy->pattern,MagickFalse);
95+ else
96+ match=GlobExpression(pattern,policy->pattern,MagickFalse);
97+ if (match != MagickFalse)
98+ {
99+ if ((rights & ReadPolicyRights) != 0)
100+ authorized=(policy->rights & ReadPolicyRights) != 0 ? MagickTrue :
101+ MagickFalse;
102+ if ((rights & WritePolicyRights) != 0)
103+ authorized=(policy->rights & WritePolicyRights) != 0 ?
104+ MagickTrue : MagickFalse;
105+ if ((rights & ExecutePolicyRights) != 0)
106+ authorized=(policy->rights & ExecutePolicyRights) != 0 ?
107+ MagickTrue : MagickFalse;
108+ }
109 }
110 p=p->next;
111 }
112 UnlockSemaphoreInfo(policy_semaphore);
113+ if (real_pattern != (char *) NULL)
114+ real_pattern=DestroyString(real_pattern);
115 return(authorized);
116 }
117
118diff --git a/MagickCore/token.c b/MagickCore/token.c
119index 9763069..70085b4 100644
120--- a/MagickCore/token.c
121+++ b/MagickCore/token.c
122@@ -518,6 +518,7 @@ MagickExport MagickBooleanType GlobExpression(
123 target=DestroyString(target);
124 break;
125 }
126+#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__)
127 case '\\':
128 {
129 pattern+=GetUTFOctets(pattern);
130@@ -525,6 +526,7 @@ MagickExport MagickBooleanType GlobExpression(
131 break;
132 magick_fallthrough;
133 }
134+#endif
135 default:
136 {
137 if (case_insensitive != MagickFalse)
138diff --git a/MagickCore/utility-private.h b/MagickCore/utility-private.h
139index b3d951c..c28d4c5 100644
140--- a/MagickCore/utility-private.h
141+++ b/MagickCore/utility-private.h
142@@ -252,6 +252,121 @@ static inline FILE *popen_utf8(const char *command,const char *type)
143 #endif
144 }
145
146+static inline char *realpath_utf8(const char *path)
147+{
148+#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__)
149+#if defined(MAGICKCORE_HAVE_REALPATH)
150+ return(realpath(path,(char *) NULL));
151+#else
152+ return(AcquireString(path));
153+#endif
154+#else
155+ char
156+ *real_path;
157+
158+ DWORD
159+ final_path_length,
160+ full_path_length;
161+
162+ HANDLE
163+ file_handle;
164+
165+ int
166+ length,
167+ utf8_length;
168+
169+ wchar_t
170+ *clean_path,
171+ *full_path,
172+ *wide_path;
173+
174+ /*
175+ Convert UTF-8 to UTF-16.
176+ */
177+ if (path == (const char *) NULL)
178+ return((char *) NULL);
179+ length=MultiByteToWideChar(CP_UTF8,0,path,-1,NULL,0);
180+ if (length <= 0)
181+ return((char *) NULL);
182+ wide_path=(wchar_t *) AcquireQuantumMemory(length,sizeof(wchar_t));
183+ if (wide_path == (wchar_t *) NULL)
184+ return((char *) NULL);
185+ MultiByteToWideChar(CP_UTF8,0,path,-1,wide_path,length);
186+ /*
187+ Normalize syntactically.
188+ */
189+ full_path_length=GetFullPathNameW(wide_path,0,NULL,NULL);
190+ if (full_path_length == 0)
191+ {
192+ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path);
193+ return((char *) NULL);
194+ }
195+ full_path=(wchar_t *) AcquireQuantumMemory(full_path_length,sizeof(wchar_t));
196+ if (full_path == (wchar_t *) NULL)
197+ {
198+ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path);
199+ return((char *) NULL);
200+ }
201+ GetFullPathNameW(wide_path,full_path_length,full_path,NULL);
202+ wide_path=(wchar_t *) RelinquishMagickMemory(wide_path);
203+ /*
204+ Open the file/directory to resolve symlinks.
205+ */
206+ file_handle=CreateFileW(full_path,GENERIC_READ,FILE_SHARE_READ |
207+ FILE_SHARE_WRITE | FILE_SHARE_DELETE,NULL,OPEN_EXISTING,
208+ FILE_FLAG_BACKUP_SEMANTICS,NULL);
209+ if (file_handle != INVALID_HANDLE_VALUE)
210+ {
211+ /*
212+ Resolve final canonical path.
213+ */
214+ final_path_length=GetFinalPathNameByHandleW(file_handle,NULL,0,
215+ FILE_NAME_NORMALIZED);
216+ if (final_path_length == 0)
217+ {
218+ CloseHandle(file_handle);
219+ full_path=(wchar_t *) RelinquishMagickMemory(full_path);
220+ return((char *) NULL);
221+ }
222+ full_path=(wchar_t *) RelinquishMagickMemory(full_path);
223+ full_path=(wchar_t *) AcquireQuantumMemory(final_path_length,
224+ sizeof(wchar_t));
225+ if (full_path == (wchar_t *) NULL)
226+ {
227+ CloseHandle(file_handle);
228+ return((char *) NULL);
229+ }
230+ GetFinalPathNameByHandleW(file_handle,full_path,final_path_length,
231+ FILE_NAME_NORMALIZED);
232+ CloseHandle(file_handle);
233+ }
234+ /*
235+ Remove \\?\ prefix for POSIX-like behavior.
236+ */
237+ clean_path=full_path;
238+ if (wcsncmp(full_path,L"\\\\?\\",4) == 0)
239+ clean_path=full_path+4;
240+ /*
241+ Convert UTF-16 to UTF-8.
242+ */
243+ utf8_length=WideCharToMultiByte(CP_UTF8,0,clean_path,-1,NULL,0,NULL,NULL);
244+ if (utf8_length <= 0)
245+ {
246+ full_path=(wchar_t *) RelinquishMagickMemory(full_path);
247+ return NULL;
248+ }
249+ real_path=(char *) AcquireQuantumMemory(utf8_length,sizeof(char));
250+ if (real_path == (char *) NULL)
251+ {
252+ full_path=(wchar_t *) RelinquishMagickMemory(full_path);
253+ return NULL;
254+ }
255+ WideCharToMultiByte(CP_UTF8,0,clean_path,-1,real_path,utf8_length,NULL,NULL);
256+ full_path=(wchar_t *) RelinquishMagickMemory(full_path);
257+ return(real_path);
258+#endif
259+}
260+
261 static inline int remove_utf8(const char *path)
262 {
263 #if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__)
264diff --git a/MagickCore/utility.c b/MagickCore/utility.c
265index bbeef37..4fd6e9c 100644
266--- a/MagickCore/utility.c
267+++ b/MagickCore/utility.c
268@@ -1042,16 +1042,23 @@ MagickPrivate MagickBooleanType GetExecutionPath(char *path,const size_t extent)
269 #if defined(MAGICKCORE_HAVE__NSGETEXECUTABLEPATH)
270 {
271 char
272- executable_path[PATH_MAX << 1],
273- execution_path[PATH_MAX+1];
274+ executable_path[PATH_MAX << 1];
275
276 uint32_t
277 length;
278
279 length=sizeof(executable_path);
280- if ((_NSGetExecutablePath(executable_path,&length) == 0) &&
281- (realpath(executable_path,execution_path) != (char *) NULL))
282- (void) CopyMagickString(path,execution_path,extent);
283+ if (_NSGetExecutablePath(executable_path,&length) == 0)
284+ {
285+ char
286+ *real_path = realpath_utf8(executable_path);
287+
288+ if (real_path != (char *) NULL)
289+ {
290+ (void) CopyMagickString(path,real_path,extent);
291+ real_path=DestroyString(real_path);
292+ }
293+ }
294 }
295 #endif
296 #if defined(MAGICKCORE_HAVE_GETEXECNAME)
297@@ -1097,10 +1104,13 @@ MagickPrivate MagickBooleanType GetExecutionPath(char *path,const size_t extent)
298 if (count != -1)
299 {
300 char
301- execution_path[PATH_MAX+1];
302+ *real_path = realpath_utf8(program_name);
303
304- if (realpath(program_name,execution_path) != (char *) NULL)
305- (void) CopyMagickString(path,execution_path,extent);
306+ if (real_path != (char *) NULL)
307+ {
308+ (void) CopyMagickString(path,real_path,extent);
309+ real_path=DestroyString(real_path);
310+ }
311 }
312 if (program_name != program_invocation_name)
313 program_name=(char *) RelinquishMagickMemory(program_name);
314@@ -1882,7 +1892,7 @@ MagickPrivate MagickBooleanType ShredFile(const char *path)
315 {
316 char
317 *property;
318-
319+
320 passes=0;
321 property=GetEnvironmentValue("MAGICK_SHRED_PASSES");
322 if (property != (char *) NULL)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch
new file mode 100644
index 0000000000..324443e5f0
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch
@@ -0,0 +1,56 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Tue, 3 Feb 2026 20:00:28 +0100
3Subject: Block reading from fd: in our more secure policies by default
4 (GHSA-xwc6-v6g8-pw2h)
5
6(cherry picked from commit 8d4c67a90ae458fb36393a05c0069e9123ac174c)
7
8CVE: CVE-2026-25966
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174c]
10
11origin: backport, https://github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174c
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 config/policy-secure.xml | 1 +
17 config/policy-websafe.xml | 1 +
18 www/security-policy.html | 1 +
19 3 files changed, 3 insertions(+)
20
21diff --git a/config/policy-secure.xml b/config/policy-secure.xml
22index 0d312d2..4239822 100644
23--- a/config/policy-secure.xml
24+++ b/config/policy-secure.xml
25@@ -88,6 +88,7 @@
26 <policy domain="filter" rights="none" pattern="*"/>
27 <!-- Don't read/write from/to stdin/stdout. -->
28 <policy domain="path" rights="none" pattern="-"/>
29+ <policy domain="path" rights="none" pattern="fd:*"/>
30 <!-- don't read sensitive paths. -->
31 <policy domain="path" rights="none" pattern="/etc/*"/>
32 <!-- Indirect reads are not permitted. -->
33diff --git a/config/policy-websafe.xml b/config/policy-websafe.xml
34index 05327e3..544bf74 100644
35--- a/config/policy-websafe.xml
36+++ b/config/policy-websafe.xml
37@@ -84,6 +84,7 @@
38 <policy domain="filter" rights="none" pattern="*"/>
39 <!-- Don't read/write from/to stdin/stdout. -->
40 <policy domain="path" rights="none" pattern="-"/>
41+ <policy domain="path" rights="none" pattern="fd:*"/>
42 <!-- don't read sensitive paths. -->
43 <policy domain="path" rights="none" pattern="/etc/*"/>
44 <!-- Indirect reads are not permitted. -->
45diff --git a/www/security-policy.html b/www/security-policy.html
46index af8c206..b254962 100644
47--- a/www/security-policy.html
48+++ b/www/security-policy.html
49@@ -250,6 +250,7 @@
50 &lt;policy domain="filter" rights="none" pattern="*"/>
51 &lt;!-- Don't read/write from/to stdin/stdout. -->
52 &lt;policy domain="path" rights="none" pattern="-"/>
53+ &lt;policy domain="path" rights="none" pattern="fd:*"/>
54 &lt;!-- don't read sensitive paths. -->
55 &lt;policy domain="path" rights="none" pattern="/etc/*"/>
56 &lt;!-- Indirect reads are not permitted. -->
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch
new file mode 100644
index 0000000000..d9b7efc9c1
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch
@@ -0,0 +1,38 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sat, 31 Jan 2026 12:59:33 -0500
3Subject: [PATCH] CVE-2026-25967
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4
5
6a stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash.
7
8(cherry picked from commit 9afe96cc325da1e4349fbd7418675af2f8708c10)
9
10CVE: CVE-2026-25967
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9afe96cc325da1e4349fbd7418675af2f8708c10]
12
13origin: https://github.com/ImageMagick/ImageMagick/commit/9afe96cc325da1e4349fbd7418675af2f8708c10
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/ftxt.c | 4 ++--
19 1 file changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/coders/ftxt.c b/coders/ftxt.c
22index d665bec..e9bb47f 100644
23--- a/coders/ftxt.c
24+++ b/coders/ftxt.c
25@@ -197,11 +197,11 @@ static int ReadInt(Image * image,MagickBooleanType *eofInp,int *chPushed,
26 if (p-buffer >= MaxTextExtent)
27 {
28 *eofInp=MagickTrue;
29- continue;
30+ break;
31 }
32 chIn=ReadChar(image,chPushed);
33 }
34- if (p==buffer)
35+ if (p == buffer)
36 {
37 *eofInp=MagickTrue;
38 return(0);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch
new file mode 100644
index 0000000000..548c7e82f1
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch
@@ -0,0 +1,39 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Tue, 3 Feb 2026 22:40:04 +0100
3Subject: Patch to resolve possible out of bounds write in the msl decoder
4 (GHSA-3mwp-xqp2-q6ph).
5
6(cherry picked from commit 56f02958890b820cf2d0a6ecb04eb6f58ea75628)
7
8CVE: CVE-2026-25968
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/56f02958890b820cf2d0a6ecb04eb6f58ea75628]
10
11origin: https://github.com/ImageMagick/ImageMagick/commit/56f02958890b820cf2d0a6ecb04eb6f58ea75628
12bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3mwp-xqp2-q6ph
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/msl.c | 9 +++++----
17 1 file changed, 5 insertions(+), 4 deletions(-)
18
19diff --git a/coders/msl.c b/coders/msl.c
20index 9facbf2..4af3a71 100644
21--- a/coders/msl.c
22+++ b/coders/msl.c
23@@ -5827,11 +5827,12 @@ static void MSLStartElement(void *context,const xmlChar *tag,
24 Quantum opac = OpaqueAlpha;
25 ssize_t len = (ssize_t) strlen( value );
26
27- if (value[len-1] == '%') {
28- char tmp[100];
29+ if ((len > 0) && (value[len-1] == '%')) {
30+ char *tmp = AcquireString(value);
31 (void) CopyMagickString(tmp,value,(size_t) len);
32- opac = StringToLong( tmp );
33- opac = (int)(QuantumRange * ((float)opac/100));
34+ opac = (Quantum) StringToLong( tmp );
35+ tmp=DestroyString(tmp);
36+ opac = (Quantum)(QuantumRange * ((float)opac/100));
37 } else
38 opac = StringToLong( value );
39 (void) SetImageAlpha( msl_info->image[n], (Quantum) opac,
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch
new file mode 100644
index 0000000000..4432a5c9d8
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch
@@ -0,0 +1,63 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Wed, 28 Jan 2026 20:33:56 -0500
3Subject: [PATCH] CVE-2026-25969
4https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm
5
6a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak.
7
8(cherry picked from commit a253d1b124ebdcc2832daac6f9a35c362635b40e)
9
10CVE: CVE-2026-25969
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/a253d1b124ebdcc2832daac6f9a35c362635b40e]
12
13[backport]
14- do not change border parameters, keep old parameter in patch context
15
16origin: backport, https://github.com/ImageMagick/ImageMagick/commit/a253d1b124ebdcc2832daac6f9a35c362635b40e
17bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm
18
19Signed-off-by: Naman Jain <namanj1@kpit.com>
20---
21 coders/ashlar.c | 7 +++++--
22 1 file changed, 5 insertions(+), 2 deletions(-)
23
24diff --git a/coders/ashlar.c b/coders/ashlar.c
25index a44976f..1984215 100644
26--- a/coders/ashlar.c
27+++ b/coders/ashlar.c
28@@ -543,7 +543,8 @@ static Image *ASHLARImage(ImageInfo *image_info,Image *image,
29 geometry.height=(size_t) geometry.height/7;
30 geometry.x=(ssize_t) pow((double) geometry.width,0.25);
31 geometry.y=(ssize_t) pow((double) geometry.height,0.25);
32- image_info->extract=AcquireString("");
33+ if (image_info->extract == (char *) NULL)
34+ image_info->extract=AcquireString("");
35 if (image_info->extract != (char *) NULL)
36 (void) FormatLocaleString(image_info->extract,MagickPathExtent,
37 "%gx%g%+g%+g",(double) geometry.width,(double) geometry.height,
38@@ -707,7 +708,6 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info,
39 if (value != (const char *) NULL)
40 tiles_per_page=(size_t) MagickMax(StringToInteger(value),1);
41 ashlar_images=NewImageList();
42- write_info=CloneImageInfo(image_info);
43 for (i=0; i < (ssize_t) GetImageListLength(image); i+=(ssize_t) tiles_per_page)
44 {
45 char
46@@ -726,7 +726,9 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info,
47 ashlar_images=DestroyImageList(ashlar_images);
48 break;
49 }
50+ write_info=CloneImageInfo(image_info);
51 ashlar_image=ASHLARImage(write_info,clone_images,exception);
52+ write_info=DestroyImageInfo(write_info);
53 clone_images=DestroyImageList(clone_images);
54 if (ashlar_image == (Image *) NULL)
55 {
56@@ -741,6 +743,7 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info,
57 ashlar_images=GetFirstImageInList(ashlar_images);
58 (void) CopyMagickString(ashlar_images->filename,image_info->filename,
59 MagickPathExtent);
60+ write_info=CloneImageInfo(image_info);
61 *write_info->magick='\0';
62 (void) SetImageInfo(write_info,(unsigned int)
63 GetImageListLength(ashlar_images),exception);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch
new file mode 100644
index 0000000000..0483050a2b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch
@@ -0,0 +1,139 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sun, 1 Feb 2026 13:55:34 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr
5
6(cherry picked from commit 729253dc16e1a1ec4cac891a12d597e3fa9336b3)
7
8CVE: CVE-2026-25970
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/729253dc16e1a1ec4cac891a12d597e3fa9336b3]
10
11a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows
12
13origin: backport, https://github.com/ImageMagick/ImageMagick/commit/729253dc16e1a1ec4cac891a12d597e3fa9336b3
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/sixel.c | 39 +++++++++++++++++++++------------------
19 1 file changed, 21 insertions(+), 18 deletions(-)
20
21diff --git a/coders/sixel.c b/coders/sixel.c
22index aa9ce70..a75ee32 100644
23--- a/coders/sixel.c
24+++ b/coders/sixel.c
25@@ -250,7 +250,6 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
26 c,
27 color_index,
28 g,
29- i,
30 n,
31 max_color_index,
32 max_x,
33@@ -261,23 +260,24 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
34 r,
35 repeat_count,
36 sixel_palet[SIXEL_PALETTE_MAX],
37- sixel_vertical_mask,
38- x,
39- y;
40+ sixel_vertical_mask;
41
42 sixel_pixel_t
43 *dmbuf,
44 *imbuf;
45
46 size_t
47- extent,
48- offset;
49+ extent;
50
51 ssize_t
52 dmsx,
53 dmsy,
54+ i,
55 imsx,
56- imsy;
57+ imsy,
58+ offset,
59+ x,
60+ y;
61
62 extent=strlen((char *) p);
63 position_x=position_y=0;
64@@ -294,7 +294,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
65 imsy=2048;
66 if (SetImageExtent(image,(size_t) imsx,(size_t) imsy,exception) == MagickFalse)
67 return(MagickFalse);
68- imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx,(size_t) imsy*sizeof(sixel_pixel_t));
69+ imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx,
70+ (size_t) imsy*sizeof(sixel_pixel_t));
71 if (imbuf == (sixel_pixel_t *) NULL)
72 return(MagickFalse);
73 for (n = 0; n < 16; n++)
74@@ -315,8 +316,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
75 sixel_palet[n++]=SIXEL_RGB(i*11,i*11,i*11);
76 for (; n < SIXEL_PALETTE_MAX; n++)
77 sixel_palet[n]=SIXEL_RGB(255,255,255);
78- for (i = 0; i < imsx * imsy; i++)
79- imbuf[i]=background_color_index;
80+ for (i = 0; i < (imsx*imsy); i++)
81+ imbuf[i]=(sixel_pixel_t) background_color_index;
82 while (*p != '\0')
83 {
84 if ((p[0] == '\033' && p[1] == 'P') || (*p == 0x90))
85@@ -409,7 +410,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
86 }
87 (void) memset(dmbuf,background_color_index,(size_t) dmsx*(size_t)
88 dmsy*sizeof(sixel_pixel_t));
89- for (y = 0; y < imsy; ++y)
90+ for (y=0; y < imsy; ++y)
91 (void) memcpy(dmbuf+dmsx*y,imbuf+imsx*y,(size_t) imsx*
92 sizeof(sixel_pixel_t));
93 imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
94@@ -486,7 +487,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
95 }
96 else if ((*p >= '?') && (*p <= '\177'))
97 {
98- if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6)))
99+ if ((imsx < ((ssize_t) position_x+repeat_count)) ||
100+ (imsy < ((ssize_t) position_y+6)))
101 {
102 ssize_t
103 nx,
104@@ -495,7 +497,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
105 nx=imsx*2;
106 ny=imsy*2;
107
108- while ((nx < (position_x + repeat_count)) || (ny < (position_y + 6)))
109+ while ((nx < ((ssize_t) position_x+repeat_count)) || (ny < ((ssize_t) position_y+6)))
110 {
111 nx *= 2;
112 ny *= 2;
113@@ -535,9 +537,9 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
114 {
115 if ((b & sixel_vertical_mask) != 0)
116 {
117- offset=(size_t) (imsx*((ssize_t) position_y+i)+
118+ offset=(ssize_t) (imsx*((ssize_t) position_y+i)+
119 (ssize_t) position_x);
120- if (offset >= (size_t) (imsx*imsy))
121+ if (offset >= (imsx*imsy))
122 {
123 imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
124 return(MagickFalse);
125@@ -567,10 +569,11 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
126 }
127 for (y = position_y + i; y < position_y + i + n; ++y)
128 {
129- offset=(size_t) ((ssize_t) imsx*y+(ssize_t) position_x);
130- if ((offset+(size_t) repeat_count) >= (size_t) (imsx*imsy))
131+ offset=(imsx*y+position_x);
132+ if ((offset+repeat_count) >= (imsx*imsy))
133 {
134- imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
135+ imbuf=(sixel_pixel_t *)
136+ RelinquishMagickMemory(imbuf);
137 return(MagickFalse);
138 }
139 for (x = 0; x < repeat_count; x++)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch
new file mode 100644
index 0000000000..15488934f4
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch
@@ -0,0 +1,57 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Wed, 28 Jan 2026 19:50:14 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4x
5
6This fix int to size_t and is needed for fully fix CVE-2026-25970
7
8CVE: CVE-2026-25970
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/266e59ed8d886a76355c863bd38ff5ac34537673]
10
11origin: backport, https://github.com/ImageMagick/ImageMagick/commit/266e59ed8d886a76355c863bd38ff5ac34537673
12(cherry picked from commit 266e59ed8d886a76355c863bd38ff5ac34537673)
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/sixel.c | 12 +++++++-----
17 1 file changed, 7 insertions(+), 5 deletions(-)
18
19diff --git a/coders/sixel.c b/coders/sixel.c
20index 11d857d..aa9ce70 100644
21--- a/coders/sixel.c
22+++ b/coders/sixel.c
23@@ -249,12 +249,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
24 background_color_index,
25 c,
26 color_index,
27- dmsx,
28- dmsy,
29 g,
30 i,
31- imsx,
32- imsy,
33 n,
34 max_color_index,
35 max_x,
36@@ -277,6 +273,12 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
37 extent,
38 offset;
39
40+ ssize_t
41+ dmsx,
42+ dmsy,
43+ imsx,
44+ imsy;
45+
46 extent=strlen((char *) p);
47 position_x=position_y=0;
48 max_x=max_y=0;
49@@ -486,7 +488,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
50 {
51 if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6)))
52 {
53- int
54+ ssize_t
55 nx,
56 ny;
57
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch
new file mode 100644
index 0000000000..cd6074db97
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch
@@ -0,0 +1,77 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Tue, 3 Feb 2026 21:53:39 +0100
3Subject: Added checks to prevent an out of bounds read (GHSA-pmq6-8289-hx3v)
4
5(cherry picked from commit 4e1f5381d4ccbb6b71927e94c5d257fa883b3af7)
6
7CVE: CVE-2026-25982
8Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/4e1f5381d4ccbb6b71927e94c5d257fa883b3af7]
9
10origin: https://github.com/ImageMagick/ImageMagick/commit/4e1f5381d4ccbb6b71927e94c5d257fa883b3af7
11bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pmq6-8289-hx3v
12
13Signed-off-by: Naman Jain <namanj1@kpit.com>
14---
15 coders/dcm.c | 18 +++++++++++++++---
16 1 file changed, 15 insertions(+), 3 deletions(-)
17
18diff --git a/coders/dcm.c b/coders/dcm.c
19index df45d71..fdd3b93 100644
20--- a/coders/dcm.c
21+++ b/coders/dcm.c
22@@ -2704,6 +2704,7 @@ typedef struct _DCMInfo
23
24 size_t
25 bits_allocated,
26+ bits_per_entry,
27 bytes_per_pixel,
28 depth,
29 mask,
30@@ -3158,6 +3159,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
31 */
32 (void) CopyMagickString(photometric,"MONOCHROME1 ",MagickPathExtent);
33 info.bits_allocated=8;
34+ info.bits_per_entry=1;
35 info.bytes_per_pixel=1;
36 info.depth=8;
37 info.mask=0xffff;
38@@ -3695,7 +3697,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
39 else
40 index=(unsigned short) (*p | (*(p+1) << 8));
41 map.red[i]=(int) index;
42- p+=(ptrdiff_t) 2;
43+ p+=(ptrdiff_t) info.bits_per_entry;
44 }
45 break;
46 }
47@@ -3727,7 +3729,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
48 else
49 index=(unsigned short) (*p | (*(p+1) << 8));
50 map.green[i]=(int) index;
51- p+=(ptrdiff_t) 2;
52+ p+=(ptrdiff_t) info.bits_per_entry;
53 }
54 break;
55 }
56@@ -3759,10 +3761,20 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
57 else
58 index=(unsigned short) (*p | (*(p+1) << 8));
59 map.blue[i]=(int) index;
60- p+=(ptrdiff_t) 2;
61+ p+=(ptrdiff_t) info.bits_per_entry;
62 }
63 break;
64 }
65+ case 0x3002:
66+ {
67+ /*
68+ Bytes per entry.
69+ */
70+ info.bits_per_entry=(size_t) datum;
71+ if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2))
72+ ThrowDCMException(CorruptImageError,"ImproperImageHeader")
73+ break;
74+ }
75 default:
76 break;
77 }
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch
new file mode 100644
index 0000000000..e2f2093ad1
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch
@@ -0,0 +1,67 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sat, 7 Feb 2026 22:30:57 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84
5
6a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort.
7
8(cherry picked from commit 1a51eb9af00c36724660e294520878fd1f13e312)
9
10CVE: CVE-2026-25985
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1a51eb9af00c36724660e294520878fd1f13e312]
12
13origin: https://github.com/ImageMagick/ImageMagick/commit/1a51eb9af00c36724660e294520878fd1f13e312
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 MagickCore/draw.c | 16 ++++++++--------
19 1 file changed, 8 insertions(+), 8 deletions(-)
20
21diff --git a/MagickCore/draw.c b/MagickCore/draw.c
22index d1c0651..2faa8f0 100644
23--- a/MagickCore/draw.c
24+++ b/MagickCore/draw.c
25@@ -2297,7 +2297,7 @@ static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info,
26 extent=(double) mvg_info->offset+pad+(PrimitiveExtentPad+1)*(double) quantum;
27 if (extent <= (double) *mvg_info->extent)
28 return(MagickTrue);
29- if ((extent >= (double) MAGICK_SSIZE_MAX) || (IsNaN(extent) != 0))
30+ if ((extent >= (double) GetMaxMemoryRequest()) || (IsNaN(extent) != 0))
31 return(MagickFalse);
32 if (mvg_info->offset > 0)
33 {
34@@ -6401,7 +6401,7 @@ static MagickBooleanType TraceBezier(MVGInfo *mvg_info,
35 for (j=i+1; j < (ssize_t) number_coordinates; j++)
36 {
37 alpha=fabs(primitive_info[j].point.x-primitive_info[i].point.x);
38- if (alpha > (double) MAGICK_SSIZE_MAX)
39+ if (alpha > (double) GetMaxMemoryRequest())
40 {
41 (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),
42 ResourceLimitError,"MemoryAllocationFailed","`%s'","");
43@@ -6410,18 +6410,18 @@ static MagickBooleanType TraceBezier(MVGInfo *mvg_info,
44 if (alpha > (double) quantum)
45 quantum=(size_t) alpha;
46 alpha=fabs(primitive_info[j].point.y-primitive_info[i].point.y);
47- if (alpha > (double) MAGICK_SSIZE_MAX)
48- {
49- (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),
50- ResourceLimitError,"MemoryAllocationFailed","`%s'","");
51- return(MagickFalse);
52- }
53 if (alpha > (double) quantum)
54 quantum=(size_t) alpha;
55 }
56 }
57 primitive_info=(*mvg_info->primitive_info)+mvg_info->offset;
58 quantum=MagickMin(quantum/number_coordinates,BezierQuantum);
59+ if (quantum > (double) GetMaxMemoryRequest())
60+ {
61+ (void) ThrowMagickException(mvg_info->exception,GetMagickModule(),
62+ ResourceLimitError,"MemoryAllocationFailed","`%s'","");
63+ return(MagickFalse);
64+ }
65 coefficients=(double *) AcquireQuantumMemory(number_coordinates,
66 sizeof(*coefficients));
67 points=(PointInfo *) AcquireQuantumMemory(quantum,number_coordinates*
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch
new file mode 100644
index 0000000000..10be76cb90
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch
@@ -0,0 +1,42 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sat, 7 Feb 2026 17:42:01 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2
5
6A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images.
7
8(cherry picked from commit b9c80ad3ca802b6883da25f153c4fdf72c017eba)
9
10CVE: CVE-2026-25986
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/b9c80ad3ca802b6883da25f153c4fdf72c017eba]
12
13origin: https://github.com/ImageMagick/ImageMagick/commit/b9c80ad3ca802b6883da25f153c4fdf72c017eba
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/yuv.c | 4 ++--
19 1 file changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/coders/yuv.c b/coders/yuv.c
22index 1817c43..21486fc 100644
23--- a/coders/yuv.c
24+++ b/coders/yuv.c
25@@ -261,7 +261,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
26 chroma_image->columns,1,exception);
27 if (chroma_pixels == (Quantum *) NULL)
28 break;
29- for (x=0; x < (ssize_t) image->columns; x+=2)
30+ for (x=0; x < (ssize_t) (image->columns-1); x+=2)
31 {
32 SetPixelRed(chroma_image,0,chroma_pixels);
33 if (quantum == 1)
34@@ -740,7 +740,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image,
35 exception);
36 if (s == (const Quantum *) NULL)
37 break;
38- for (x=0; x < (ssize_t) yuv_image->columns; x+=2)
39+ for (x=0; x < (ssize_t) (yuv_image->columns-1); x+=2)
40 {
41 if (quantum == 1)
42 {
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch
new file mode 100644
index 0000000000..b34f598761
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch
@@ -0,0 +1,44 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sat, 7 Feb 2026 18:03:19 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7
5
6a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding
7
8(cherry picked from commit bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a)
9
10CVE: CVE-2026-25987
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a]
12
13origin: backport, https://github.com/ImageMagick/ImageMagick/commit/bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/map.c | 6 ++++--
19 1 file changed, 4 insertions(+), 2 deletions(-)
20
21diff --git a/coders/map.c b/coders/map.c
22index 6b0f992..f5dbcdb 100644
23--- a/coders/map.c
24+++ b/coders/map.c
25@@ -160,6 +160,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception)
26 if (status == MagickFalse)
27 ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
28 depth=GetImageQuantumDepth(image,MagickTrue);
29+ if ((depth <= 8) && (image->colors > 256))
30+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
31 packet_size=(size_t) (depth/8);
32 pixels=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size*
33 sizeof(*pixels));
34@@ -236,8 +238,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception)
35 p++;
36 if (image->colors > 256)
37 {
38- index=ConstrainColormapIndex(image,(ssize_t) (((size_t) index << 8)+
39- (size_t) (*p)),exception);
40+ index=(Quantum) ConstrainColormapIndex(image,(ssize_t)
41+ (((size_t) index << 8)+(size_t) (*p)),exception);
42 p++;
43 }
44 SetPixelIndex(image,index,q);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch
new file mode 100644
index 0000000000..f371140c3c
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch
@@ -0,0 +1,50 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Sat, 7 Feb 2026 17:53:18 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7
5
6sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks
7
8(cherry picked from commit 4354fc1d554ec2e6314aed13536efa7bde9593d2)
9
10CVE: CVE-2026-25988
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/4354fc1d554ec2e6314aed13536efa7bde9593d2]
12
13origin: https://github.com/ImageMagick/ImageMagick/commit/4354fc1d554ec2e6314aed13536efa7bde9593d2
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/msl.c | 5 +++--
19 1 file changed, 3 insertions(+), 2 deletions(-)
20
21diff --git a/coders/msl.c b/coders/msl.c
22index e2ad95a..be45dbf 100644
23--- a/coders/msl.c
24+++ b/coders/msl.c
25@@ -240,7 +240,7 @@ static int IsPathDirectory(const char *path)
26 return(1);
27 }
28
29-static void MSLPushImage(MSLInfo *msl_info,Image *image)
30+static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image)
31 {
32 ssize_t
33 n;
34@@ -274,6 +274,7 @@ static void MSLPushImage(MSLInfo *msl_info,Image *image)
35 ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed")
36 if (msl_info->number_groups != 0)
37 msl_info->group_info[msl_info->number_groups-1].numImages++;
38+ return(n);
39 }
40
41 static void MSLPopImage(MSLInfo *msl_info)
42@@ -3071,7 +3072,7 @@ static void MSLStartElement(void *context,const xmlChar *tag,
43 {
44 if (LocaleCompare((const char *) tag,"image") == 0)
45 {
46- MSLPushImage(msl_info,(Image *) NULL);
47+ n=MSLPushImage(msl_info,(Image *) NULL);
48 if (attributes == (const xmlChar **) NULL)
49 break;
50 for (i=0; (attributes[i] != (const xmlChar *) NULL); i++)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch
new file mode 100644
index 0000000000..72cb4944bf
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch
@@ -0,0 +1,49 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Thu, 12 Feb 2026 07:49:05 +0100
3Subject: Fixed possible infinite loop (GHSA-v994-63cg-9wj3)
4
5CVE: CVE-2026-26066
6Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/880057ce34f6da9dff2fe3b290bbbc45b743e613]
7
8origin: https://github.com/ImageMagick/ImageMagick/commit/880057ce34f6da9dff2fe3b290bbbc45b743e613
9bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3
10
11Signed-off-by: Naman Jain <namanj1@kpit.com>
12---
13 coders/meta.c | 8 ++++----
14 1 file changed, 4 insertions(+), 4 deletions(-)
15
16diff --git a/coders/meta.c b/coders/meta.c
17index c76bbd5..55a5888 100644
18--- a/coders/meta.c
19+++ b/coders/meta.c
20@@ -1904,7 +1904,7 @@ static int formatIPTC(Image *ifile, Image *ofile)
21 foundiptc = 0; /* found the IPTC-Header */
22 tagsfound = 0; /* number of tags found */
23
24- c = ReadBlobByte(ifile);
25+ c=ReadBlobByte(ifile);
26 while (c != EOF)
27 {
28 if (c == 0x1c)
29@@ -1915,17 +1915,17 @@ static int formatIPTC(Image *ifile, Image *ofile)
30 return(-1);
31 else
32 {
33- c=0;
34+ c=ReadBlobByte(ifile);
35 continue;
36 }
37 }
38
39 /* we found the 0x1c tag and now grab the dataset and record number tags */
40- c = ReadBlobByte(ifile);
41+ c=ReadBlobByte(ifile);
42 if (c == EOF)
43 return(-1);
44 dataset = (unsigned char) c;
45- c = ReadBlobByte(ifile);
46+ c=ReadBlobByte(ifile);
47 if (c == EOF)
48 return(-1);
49 recnum = (unsigned char) c;
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch
new file mode 100644
index 0000000000..7888fc2c9b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch
@@ -0,0 +1,33 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Fri, 13 Feb 2026 18:57:09 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v
5
6a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails
7
8(cherry picked from commit c448c6920a985872072fc7be6034f678c087de9b)
9
10CVE: CVE-2026-26283
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c448c6920a985872072fc7be6034f678c087de9b]
12
13origin: https://github.com/ImageMagick/ImageMagick/commit/c448c6920a985872072fc7be6034f678c087de9b
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/jpeg.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/coders/jpeg.c b/coders/jpeg.c
22index 8cbfa27..7ead4e5 100644
23--- a/coders/jpeg.c
24+++ b/coders/jpeg.c
25@@ -2707,7 +2707,7 @@ static MagickBooleanType WriteJPEGImage_(const ImageInfo *image_info,
26 status=WriteJPEGImage(extent_info,jpeg_image,exception);
27 (void) RelinquishUniqueFileResource(jpeg_image->filename);
28 if (status == MagickFalse)
29- continue;
30+ break;
31 if (GetBlobSize(jpeg_image) <= extent)
32 minimum=jpeg_image->quality+1;
33 else
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch
new file mode 100644
index 0000000000..7d25bfa2f2
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch
@@ -0,0 +1,31 @@
1From: Dirk Lemstra <dirk@lemstra.org>
2Date: Tue, 27 Jan 2026 21:45:02 +0100
3Subject: Corrected loop initialization to prevent out of bounds read
4 (GHSA-wrhr-rf8j-r842)
5
6(cherry picked from commit 0c9ffcf55763e5daf1b61dfed0deed1aa43e217f)
7
8CVE: CVE-2026-26284
9Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/0c9ffcf55763e5daf1b61dfed0deed1aa43e217f]
10
11Bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842
12origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0c9ffcf55763e5daf1b61dfed0deed1aa43e217f
13
14Signed-off-by: Naman Jain <namanj1@kpit.com>
15---
16 coders/pcd.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/coders/pcd.c b/coders/pcd.c
20index e6a361c..279c85f 100644
21--- a/coders/pcd.c
22+++ b/coders/pcd.c
23@@ -313,7 +313,7 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma,
24 Decode luminance or chrominance deltas.
25 */
26 r=pcd_table[plane];
27- for (i=0; ((i < (ssize_t) length) && ((sum & r->mask) != r->sequence)); i++)
28+ for (i=1; ((i < pcd_length[plane]) && ((sum & r->mask) != r->sequence)); i++)
29 r++;
30 if ((row > image->rows) || (r == (PCDTable *) NULL))
31 {
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch
new file mode 100644
index 0000000000..72b5779a22
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch
@@ -0,0 +1,41 @@
1From: Cristy <urban-warrior@imagemagick.org>
2Date: Mon, 16 Feb 2026 10:00:58 -0500
3Subject:
4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8
5
6the MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed
7
8(cherry picked from commit 7cfae4da24a995fb05386d77364ff404a7cca7bc)
9
10CVE: CVE-2026-26983
11Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/7cfae4da24a995fb05386d77364ff404a7cca7bc]
12
13origin: backport, https://github.com/ImageMagick/ImageMagick/commit/7cfae4da24a995fb05386d77364ff404a7cca7bc
14bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8
15
16Signed-off-by: Naman Jain <namanj1@kpit.com>
17---
18 coders/msl.c | 9 ++++++---
19 1 file changed, 6 insertions(+), 3 deletions(-)
20
21diff --git a/coders/msl.c b/coders/msl.c
22index be45dbf..bee781e 100644
23--- a/coders/msl.c
24+++ b/coders/msl.c
25@@ -3390,10 +3390,13 @@ static void MSLStartElement(void *context,const xmlChar *tag,
26 quantize_info=AcquireQuantizeInfo(msl_info->image_info[n]);
27 quantize_info->dither_method=dither != MagickFalse ?
28 RiemersmaDitherMethod : NoDitherMethod;
29- (void) RemapImages(quantize_info,msl_info->image[n],
30- affinity_image,exception);
31+ if (affinity_image != (Image *) NULL)
32+ {
33+ (void) RemapImages(quantize_info,msl_info->image[n],
34+ affinity_image,exception);
35+ affinity_image=DestroyImage(affinity_image);
36+ }
37 quantize_info=DestroyQuantizeInfo(quantize_info);
38- affinity_image=DestroyImage(affinity_image);
39 break;
40 }
41 if (LocaleCompare((const char *) tag,"matte-floodfill") == 0)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
index ffc26e7169..acb6a16b1a 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
@@ -29,6 +29,34 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
29 file://CVE-2025-68618.patch \ 29 file://CVE-2025-68618.patch \
30 file://CVE-2025-68950.patch \ 30 file://CVE-2025-68950.patch \
31 file://CVE-2025-69204.patch \ 31 file://CVE-2025-69204.patch \
32 file://CVE-2026-24481.patch \
33 file://CVE-2026-25638.patch \
34 file://CVE-2026-25794.patch \
35 file://CVE-2026-25795.patch \
36 file://CVE-2026-25796.patch \
37 file://CVE-2026-25797_1.patch \
38 file://CVE-2026-25797_2.patch \
39 file://CVE-2026-25798.patch \
40 file://CVE-2026-25799.patch \
41 file://CVE-2026-25897.patch \
42 file://CVE-2026-25898_1.patch \
43 file://CVE-2026-25898_2.patch \
44 file://CVE-2026-25965.patch \
45 file://CVE-2026-25966.patch \
46 file://CVE-2026-25967.patch \
47 file://CVE-2026-25968.patch \
48 file://CVE-2026-25969.patch \
49 file://CVE-2026-25970_pre1.patch \
50 file://CVE-2026-25970.patch \
51 file://CVE-2026-25982.patch \
52 file://CVE-2026-25985.patch \
53 file://CVE-2026-25986.patch \
54 file://CVE-2026-25987.patch \
55 file://CVE-2026-25988.patch \
56 file://CVE-2026-26066.patch \
57 file://CVE-2026-26283.patch \
58 file://CVE-2026-26284.patch \
59 file://CVE-2026-26983.patch \
32 " 60 "
33SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb" 61SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"
34 62