1 files changed, 205 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..a51bc1994b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,205 @@
+From 18f573cbd4767d9b51b23cde5b58945ae4e57243 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Tue, 11 Nov 2025 21:53:10 +0530
+Subject: [PATCH 11/18] ImageMagick: Add support patch-2 to fix CVE-2025-55298
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 134 +++++++++++++++++++--------------------------
+ 1 file changed, 55 insertions(+), 79 deletions(-)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index f64e83645..cd4de6df9 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   ExceptionInfo *exception)
+ {
+   char
+-    *q;
+    *p = filename,
+    pattern[MagickPathExtent];
+ 
+   const char
+-    *p;
+-
+-  int
+-    c;
+-
+-  MagickBooleanType
+-    canonical;
+-
+-  ssize_t
+-    offset;
+    *cursor = format;
+ 
+-  canonical=MagickFalse;
+-  offset=0;
+  /*
+    Start with a copy of the format string.
+  */
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
+-  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+   {
+-    q=(char *) p+1;
+-    if (*q == '%')
+    const char
+      *q = cursor;
+
+    ssize_t
+      offset = (ssize_t) (cursor-format);
+
+    cursor++;  /* move past '%' */
+    if (*cursor == '%')
+       {
+-        p++;
+        /*
+          Escaped %%.
+        */
+        cursor++;
+         continue;
+       }
+-    switch (*q)
+    /*
+      Skip padding digits like %03d.
+    */
+    if (*cursor == '0')
+      (void) strtol(cursor,(char **) &cursor,10);
+    switch (*cursor)
+     {
+       case 'd':
+       case 'o':
+@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         ssize_t
+           count;
+ 
+-        q++;
+-        c=(*q);
+-        *q='\0';
+-        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+-          (MagickPathExtent-(p-format-offset)),p,value);
+-        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
+        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+        if ((count <= 0) || (count >= MagickPathExtent))
+           return(0);
+-        offset+=(ssize_t) ((q-p)-count);
+-        *q=c;
+-        (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+-        canonical=MagickTrue;
+-        if (*(q-1) != '%')
+-          break;
+-        p++;
+        if ((offset+count) >= MagickPathExtent)
+          return(0);
+        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+          offset));
+        cursor++;
+         break;
+       }
+       case '[':
+       {
+-        char
+-          pattern[MagickPathExtent];
+-
+         const char
+-          *option;
+          *end = strchr(cursor,']'),
+          *option = (const char *) NULL;
+ 
+-        char
+-          *r;
+-
+-        ssize_t
+-          i;
+-
+-        ssize_t
+-          depth;
+        size_t
+          extent = (size_t) (end-cursor);
+ 
+         /*
+-          Image option.
+          Handle %[key:value];
+         */
+-        if (strchr(p,']') == (char *) NULL)
+        if (end == (const char *) NULL)
+           break;
+-        depth=1;
+-        r=q+1;
+-        for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
+-        {
+-          if (*r == '[')
+-            depth++;
+-          if (*r == ']')
+-            depth--;
+-          if (depth <= 0)
+-            break;
+-          pattern[i]=(*r++);
+-        }
+-        pattern[i]='\0';
+-        if (LocaleNCompare(pattern,"filename:",9) != 0)
+        if (extent >= sizeof(pattern))
+           break;
+-        option=(const char *) NULL;
+        (void) CopyMagickString(pattern,cursor,extent);
+        pattern[extent]='\0';
+         if (image != (Image *) NULL)
+           option=GetImageProperty(image,pattern,exception);
+-        if ((option == (const char *) NULL) && (image != (Image *) NULL))
+        if ((option == (const char *) NULL) && (image != (Image *)NULL))
+           option=GetImageArtifact(image,pattern);
+         if ((option == (const char *) NULL) &&
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+           break;
+-        q--;
+-        c=(*q);
+-        *q='\0';
+-        (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
+-          (MagickPathExtent-(p-format-offset)));
+-        offset+=strlen(pattern)-strlen(option)+3;
+-        *q=c;
+-        (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
+-        canonical=MagickTrue;
+-        if (*(q-1) != '%')
+-          break;
+-        p++;
+        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+          offset));
+        cursor=end+1;
+         break;
+       }
+       default:
+         break;
+     }
+   }
+-  if (canonical == MagickFalse)
+-    (void) CopyMagickString(filename,format,MagickPathExtent);
+-  else
+-    for (q=filename; *q != '\0'; q++)
+-      if ((*q == '%') && (*(q+1) == '%'))
+-        (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename)));
+  for (p=filename; *p != '\0'; )
+  {
+    /*
+      Replace "%%" with "%".
+    */
+    if ((*p == '%') && (*(p+1) == '%'))
+      (void) memmove(p,p+1,strlen(p));  /* shift left */
+    else
+      p++;
+  }
+   return(strlen(filename));
+ }
+ 
+-- 
+2.34.1

diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch new file mode 100644 index 0000000000..a51bc1994b --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,205 @@
	1	From 18f573cbd4767d9b51b23cde5b58945ae4e57243 Mon Sep 17 00:00:00 2001
	2	From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
	3	Date: Tue, 11 Nov 2025 21:53:10 +0530
	4	Subject: [PATCH 11/18] ImageMagick: Add support patch-2 to fix CVE-2025-55298
	5
	6	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
	7
	8	Comment: Refreshed hunk to match latest kirkstone
	9
	10	Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
	11	---
	12	MagickCore/image.c \| 134 +++++++++++++++++++--------------------------
	13	1 file changed, 55 insertions(+), 79 deletions(-)
	14
	15	diff --git a/MagickCore/image.c b/MagickCore/image.c
	16	index f64e83645..cd4de6df9 100644
	17	--- a/MagickCore/image.c
	18	+++ b/MagickCore/image.c
	19	@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
	20	ExceptionInfo *exception)
	21	{
	22	char
	23	- *q;
	24	+ *p = filename,
	25	+ pattern[MagickPathExtent];
	26
	27	const char
	28	- *p;
	29	-
	30	- int
	31	- c;
	32	-
	33	- MagickBooleanType
	34	- canonical;
	35	-
	36	- ssize_t
	37	- offset;
	38	+ *cursor = format;
	39
	40	- canonical=MagickFalse;
	41	- offset=0;
	42	+ /*
	43	+ Start with a copy of the format string.
	44	+ */
	45	(void) CopyMagickString(filename,format,MagickPathExtent);
	46	if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
	47	return(strlen(filename));
	48	- for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
	49	+ while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
	50	{
	51	- q=(char *) p+1;
	52	- if (*q == '%')
	53	+ const char
	54	+ *q = cursor;
	55	+
	56	+ ssize_t
	57	+ offset = (ssize_t) (cursor-format);
	58	+
	59	+ cursor++; /* move past '%' */
	60	+ if (*cursor == '%')
	61	{
	62	- p++;
	63	+ /*
	64	+ Escaped %%.
	65	+ */
	66	+ cursor++;
	67	continue;
	68	}
	69	- switch (*q)
	70	+ /*
	71	+ Skip padding digits like %03d.
	72	+ */
	73	+ if (*cursor == '0')
	74	+ (void) strtol(cursor,(char **) &cursor,10);
	75	+ switch (*cursor)
	76	{
	77	case 'd':
	78	case 'o':
	79	@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
	80	ssize_t
	81	count;
	82
	83	- q++;
	84	- c=(*q);
	85	- *q='\0';
	86	- count=FormatLocaleString(filename+(p-format-offset),(size_t)
	87	- (MagickPathExtent-(p-format-offset)),p,value);
	88	- if ((count <= 0) \|\| (count > (MagickPathExtent-(p-format-offset))))
	89	+ count=FormatLocaleString(pattern,sizeof(pattern),q,value);
	90	+ if ((count <= 0) \|\| (count >= MagickPathExtent))
	91	return(0);
	92	- offset+=(ssize_t) ((q-p)-count);
	93	- *q=c;
	94	- (void) ConcatenateMagickString(filename,q,MagickPathExtent);
	95	- canonical=MagickTrue;
	96	- if (*(q-1) != '%')
	97	- break;
	98	- p++;
	99	+ if ((offset+count) >= MagickPathExtent)
	100	+ return(0);
	101	+ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
	102	+ offset));
	103	+ cursor++;
	104	break;
	105	}
	106	case '[':
	107	{
	108	- char
	109	- pattern[MagickPathExtent];
	110	-
	111	const char
	112	- *option;
	113	+ *end = strchr(cursor,']'),
	114	+ option = (const char ) NULL;
	115
	116	- char
	117	- *r;
	118	-
	119	- ssize_t
	120	- i;
	121	-
	122	- ssize_t
	123	- depth;
	124	+ size_t
	125	+ extent = (size_t) (end-cursor);
	126
	127	/*
	128	- Image option.
	129	+ Handle %[key:value];
	130	*/
	131	- if (strchr(p,']') == (char *) NULL)
	132	+ if (end == (const char *) NULL)
	133	break;
	134	- depth=1;
	135	- r=q+1;
	136	- for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
	137	- {
	138	- if (*r == '[')
	139	- depth++;
	140	- if (*r == ']')
	141	- depth--;
	142	- if (depth <= 0)
	143	- break;
	144	- pattern[i]=(*r++);
	145	- }
	146	- pattern[i]='\0';
	147	- if (LocaleNCompare(pattern,"filename:",9) != 0)
	148	+ if (extent >= sizeof(pattern))
	149	break;
	150	- option=(const char *) NULL;
	151	+ (void) CopyMagickString(pattern,cursor,extent);
	152	+ pattern[extent]='\0';
	153	if (image != (Image *) NULL)
	154	option=GetImageProperty(image,pattern,exception);
	155	- if ((option == (const char ) NULL) && (image != (Image ) NULL))
	156	+ if ((option == (const char ) NULL) && (image != (Image )NULL))
	157	option=GetImageArtifact(image,pattern);
	158	if ((option == (const char *) NULL) &&
	159	(image_info != (ImageInfo *) NULL))
	160	option=GetImageOption(image_info,pattern);
	161	if (option == (const char *) NULL)
	162	break;
	163	- q--;
	164	- c=(*q);
	165	- *q='\0';
	166	- (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
	167	- (MagickPathExtent-(p-format-offset)));
	168	- offset+=strlen(pattern)-strlen(option)+3;
	169	- *q=c;
	170	- (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
	171	- canonical=MagickTrue;
	172	- if (*(q-1) != '%')
	173	- break;
	174	- p++;
	175	+ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
	176	+ offset));
	177	+ cursor=end+1;
	178	break;
	179	}
	180	default:
	181	break;
	182	}
	183	}
	184	- if (canonical == MagickFalse)
	185	- (void) CopyMagickString(filename,format,MagickPathExtent);
	186	- else
	187	- for (q=filename; *q != '\0'; q++)
	188	- if ((q == '%') && ((q+1) == '%'))
	189	- (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename)));
	190	+ for (p=filename; *p != '\0'; )
	191	+ {
	192	+ /*
	193	+ Replace "%%" with "%".
	194	+ */
	195	+ if ((p == '%') && ((p+1) == '%'))
	196	+ (void) memmove(p,p+1,strlen(p)); /* shift left */
	197	+ else
	198	+ p++;
	199	+ }
	200	return(strlen(filename));
	201	}
	202
	203	--
	204	2.34.1
	205