1 files changed, 274 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
new file mode 100644
index 0000000000..c9cbf95c4d
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
@@ -0,0 +1,274 @@
+From b7e445241e43e3e919667d7244ccb99573cf951a Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 13:05:40 +0530
+Subject: [PATCH 14/18] ImageMagick: Fix CVE-2025-55298
+CVE: CVE-2025-55298
+This CVE fixed in two parts, this commit includes the second fix.
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
+Comment: Refreshed hunk to match latest kirkstone
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 183 ++++++++++++++++++++++++---------------------
+ 1 file changed, 96 insertions(+), 87 deletions(-)
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 7a52236d8..3e6fdd114 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %
+ %  A description of each parameter follows.
+ %
+-%    o image_info: the image info..
+%    o image_info: the image info.
+ %
+ %    o image: the image.
+ %
+@@ -1634,28 +1634,38 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %
+ */
+ 
+-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
+static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
+  const char *end)
+ {
+-  MagickBooleanType
+-    match = MagickFalse;
+-
+  char
+    specifier = end[-1];
+   size_t
+-    length = strlen(filename);
+    length = end-start;
+ 
+-  ssize_t
+-    i;
+  /*
+    Is this a valid format specifier?
+  */
+  if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
+    return(MagickFalse);
+  if ((length == 1) && (*start == specifier))
+    return(MagickTrue);
+  if (length >= 2)
+    {
+      size_t
+        i = 0;
+ 
+-  for (i=0; i < (ssize_t) length-1; i++)
+-  {
+-    if ((filename[i] == '%') &&
+-        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
+-      {
+-        filename[i]='?';
+-        filename[i+1]='\?';
+-        match=MagickTrue;
+-      }
+-  }
+-  return(match);
+      if (*start == '0')
+        {
+          if ((length >= 3) && (start[1] == '0'))
+            return(MagickFalse);
+          i=1;
+        }
+      for ( ; i < (length-1); i++)
+        if (isdigit((int) ((unsigned char) start[i])) == 0)
+          return(MagickFalse);
+      return(MagickTrue);
+    }
+  return(MagickFalse);
+ }
+ 
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+@@ -1669,82 +1679,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   const char
+     *cursor = format;
+ 
+-  /*
+-    Start with a copy of the format string.
+-  */
+   assert(format != (const char *) NULL);
+   assert(filename != (char *) NULL);
+-  (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+-    return(strlen(filename));
+-  if (PercentNInvalidOperation(filename) != MagickFalse)
+     {
+-      errno=EPERM;
+-      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+-        "InvalidArgument","`%s'",filename);
+-      return(0);
+      (void) CopyMagickString(filename,format,MagickPathExtent);
+      return(strlen(filename));
+     }
+-  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+  while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
+   {
+     const char
+-      *q = cursor;
+      *specifier_start,
+      *start;
+ 
+-    ssize_t
+-      offset = (ssize_t) (cursor-format);
+-
+-    cursor++;  /* move past '%' */
+    if (*cursor != '%')
+      {
+        *p++=(*cursor++);
+        continue;
+      }
+    start=cursor++;  /* Skip '%' */
+     if (*cursor == '%')
+       {
+-        /*
+-          Escaped %%.
+-        */
+        *p++='%';
+         cursor++;
+         continue;
+       }
+-    /*
+-      Skip padding digits like %03d.
+-    */
+-    if (isdigit((int) ((unsigned char) *cursor)) != 0)
+-      (void) strtol(cursor,(char **) &cursor,10);
+-    switch (*cursor)
+-    {
+-      case 'd':
+-      case 'o':
+-      case 'x':
+    specifier_start=cursor;
+    while (isdigit((int) ((unsigned char) *cursor)) != 0)
+      cursor++;
+    if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x'))
+       {
+-        ssize_t
+-          count;
+        const char
+          *specifier_end = cursor+1;
+ 
+-        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+-        if ((count <= 0) || (count >= MagickPathExtent) ||
+-            ((offset+count) >= MagickPathExtent))
+-          return(0);
+-        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+-          offset));
+-        cursor++;
+-        break;
+        if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse)
+          {
+            char
+              format_specifier[MagickPathExtent];
+
+            size_t
+              length = cursor-specifier_start;
+
+            ssize_t
+              count;
+
+            (void) snprintf(format_specifier,sizeof(format_specifier),
+              "%%%.*s%c",(int) length,specifier_start,*cursor);
+            count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
+              value);
+            if ((count <= 0) || ((p-filename+count) >= MagickPathExtent))
+              return(0);
+            (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
+            p+=strlen(pattern);
+            cursor++;
+            continue;
+          }
+        else
+          {
+            /*
+              Invalid specifier — treat as literal.
+            */
+            cursor=start;
+            *p++=(*cursor++);
+            continue;
+          }
+       }
+-      case '[':
+    if (*cursor == '[')
+       {
+         const char
+           *end = strchr(cursor,']'),
+           *option = (const char *) NULL;
+ 
+         size_t
+-          extent = (size_t) (end-cursor-1),
+-          option_length,
+-          tail_length;
+          extent,
+          option_length;
+ 
+-        /*
+-          Handle %[key:value];
+-        */
+         if (end == (const char *) NULL)
+-          break;
+          continue;
+        extent=(size_t) (end-cursor-1);
+         if (extent >= sizeof(pattern))
+-          break;
+          continue;
+         (void) CopyMagickString(pattern,cursor+1,extent+1);
+         pattern[extent]='\0';
+-        if (image != (Image *) NULL)
+        if (image != NULL)
+           {
+             option=GetImageProperty(image,pattern,exception);
+             if (option == (const char *) NULL)
+@@ -1754,32 +1771,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+-          break;
+          continue;
+         option_length=strlen(option);
+-        tail_length=strlen(end+1);
+-        if ((offset+option_length+tail_length+1) > MagickPathExtent)
+        if ((p-filename+option_length) >= MagickPathExtent)
+           return(0);
+-        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+-          offset));
+-        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+-          MagickPathExtent-offset-option_length-tail_length-1));
+        (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
+        p+=option_length;
+         cursor=end+1;
+-        break;
+        continue;
+       }
+-      default:
+-        break;
+-    }
+-  }
+-  for (p=filename; *p != '\0'; )
+-  {
+     /*
+-      Replace "%%" with "%".
+      Invalid or unsupported specifier — treat as literal.
+     */
+-    if ((*p == '%') && (*(p+1) == '%'))
+-      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
+-    else
+-      p++;
+    cursor=start;
+    if ((p-filename+1) >= MagickPathExtent)
+      return(0);
+    *p++=(*cursor++);
+   }
+  *p='\0';
+   return(strlen(filename));
+ }
+ 
+-- 
+2.34.1

diff --git a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch new file mode 100644 index 0000000000..c9cbf95c4d --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
@@ -0,0 +1,274 @@
	1	From b7e445241e43e3e919667d7244ccb99573cf951a Mon Sep 17 00:00:00 2001
	2	From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
	3	Date: Wed, 12 Nov 2025 13:05:40 +0530
	4	Subject: [PATCH 14/18] ImageMagick: Fix CVE-2025-55298
	5
	6	CVE: CVE-2025-55298
	7
	8	This CVE fixed in two parts, this commit includes the second fix.
	9
	10	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
	11
	12	Comment: Refreshed hunk to match latest kirkstone
	13
	14	Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
	15	---
	16	MagickCore/image.c \| 183 ++++++++++++++++++++++++---------------------
	17	1 file changed, 96 insertions(+), 87 deletions(-)
	18
	19	diff --git a/MagickCore/image.c b/MagickCore/image.c
	20	index 7a52236d8..3e6fdd114 100644
	21	--- a/MagickCore/image.c
	22	+++ b/MagickCore/image.c
	23	@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
	24	%
	25	% A description of each parameter follows.
	26	%
	27	-% o image_info: the image info..
	28	+% o image_info: the image info.
	29	%
	30	% o image: the image.
	31	%
	32	@@ -1634,28 +1634,38 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
	33	%
	34	*/
	35
	36	-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
	37	+static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
	38	+ const char *end)
	39	{
	40	- MagickBooleanType
	41	- match = MagickFalse;
	42	-
	43	+ char
	44	+ specifier = end[-1];
	45	size_t
	46	- length = strlen(filename);
	47	+ length = end-start;
	48
	49	- ssize_t
	50	- i;
	51	+ /*
	52	+ Is this a valid format specifier?
	53	+ */
	54	+ if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
	55	+ return(MagickFalse);
	56	+ if ((length == 1) && (*start == specifier))
	57	+ return(MagickTrue);
	58	+ if (length >= 2)
	59	+ {
	60	+ size_t
	61	+ i = 0;
	62
	63	- for (i=0; i < (ssize_t) length-1; i++)
	64	- {
	65	- if ((filename[i] == '%') &&
	66	- ((filename[i+1] == 'n') \|\| (filename[i+1] == 'N')))
	67	- {
	68	- filename[i]='?';
	69	- filename[i+1]='\?';
	70	- match=MagickTrue;
	71	- }
	72	- }
	73	- return(match);
	74	+ if (*start == '0')
	75	+ {
	76	+ if ((length >= 3) && (start[1] == '0'))
	77	+ return(MagickFalse);
	78	+ i=1;
	79	+ }
	80	+ for ( ; i < (length-1); i++)
	81	+ if (isdigit((int) ((unsigned char) start[i])) == 0)
	82	+ return(MagickFalse);
	83	+ return(MagickTrue);
	84	+ }
	85	+ return(MagickFalse);
	86	}
	87
	88	MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
	89	@@ -1669,82 +1679,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
	90	const char
	91	*cursor = format;
	92
	93	- /*
	94	- Start with a copy of the format string.
	95	- */
	96	assert(format != (const char *) NULL);
	97	assert(filename != (char *) NULL);
	98	- (void) CopyMagickString(filename,format,MagickPathExtent);
	99	if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
	100	- return(strlen(filename));
	101	- if (PercentNInvalidOperation(filename) != MagickFalse)
	102	{
	103	- errno=EPERM;
	104	- (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
	105	- "InvalidArgument","`%s'",filename);
	106	- return(0);
	107	+ (void) CopyMagickString(filename,format,MagickPathExtent);
	108	+ return(strlen(filename));
	109	}
	110	- while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
	111	+ while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
	112	{
	113	const char
	114	- *q = cursor;
	115	+ *specifier_start,
	116	+ *start;
	117
	118	- ssize_t
	119	- offset = (ssize_t) (cursor-format);
	120	-
	121	- cursor++; /* move past '%' */
	122	+ if (*cursor != '%')
	123	+ {
	124	+ p++=(cursor++);
	125	+ continue;
	126	+ }
	127	+ start=cursor++; /* Skip '%' */
	128	if (*cursor == '%')
	129	{
	130	- /*
	131	- Escaped %%.
	132	- */
	133	+ *p++='%';
	134	cursor++;
	135	continue;
	136	}
	137	- /*
	138	- Skip padding digits like %03d.
	139	- */
	140	- if (isdigit((int) ((unsigned char) *cursor)) != 0)
	141	- (void) strtol(cursor,(char **) &cursor,10);
	142	- switch (*cursor)
	143	- {
	144	- case 'd':
	145	- case 'o':
	146	- case 'x':
	147	+ specifier_start=cursor;
	148	+ while (isdigit((int) ((unsigned char) *cursor)) != 0)
	149	+ cursor++;
	150	+ if ((cursor == 'd') \|\| (cursor == 'o') \|\| (*cursor == 'x'))
	151	{
	152	- ssize_t
	153	- count;
	154	+ const char
	155	+ *specifier_end = cursor+1;
	156
	157	- count=FormatLocaleString(pattern,sizeof(pattern),q,value);
	158	- if ((count <= 0) \|\| (count >= MagickPathExtent) \|\|
	159	- ((offset+count) >= MagickPathExtent))
	160	- return(0);
	161	- (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
	162	- offset));
	163	- cursor++;
	164	- break;
	165	+ if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse)
	166	+ {
	167	+ char
	168	+ format_specifier[MagickPathExtent];
	169	+
	170	+ size_t
	171	+ length = cursor-specifier_start;
	172	+
	173	+ ssize_t
	174	+ count;
	175	+
	176	+ (void) snprintf(format_specifier,sizeof(format_specifier),
	177	+ "%%%.s%c",(int) length,specifier_start,cursor);
	178	+ count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
	179	+ value);
	180	+ if ((count <= 0) \|\| ((p-filename+count) >= MagickPathExtent))
	181	+ return(0);
	182	+ (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
	183	+ p+=strlen(pattern);
	184	+ cursor++;
	185	+ continue;
	186	+ }
	187	+ else
	188	+ {
	189	+ /*
	190	+ Invalid specifier — treat as literal.
	191	+ */
	192	+ cursor=start;
	193	+ p++=(cursor++);
	194	+ continue;
	195	+ }
	196	}
	197	- case '[':
	198	+ if (*cursor == '[')
	199	{
	200	const char
	201	*end = strchr(cursor,']'),
	202	option = (const char ) NULL;
	203
	204	size_t
	205	- extent = (size_t) (end-cursor-1),
	206	- option_length,
	207	- tail_length;
	208	+ extent,
	209	+ option_length;
	210
	211	- /*
	212	- Handle %[key:value];
	213	- */
	214	if (end == (const char *) NULL)
	215	- break;
	216	+ continue;
	217	+ extent=(size_t) (end-cursor-1);
	218	if (extent >= sizeof(pattern))
	219	- break;
	220	+ continue;
	221	(void) CopyMagickString(pattern,cursor+1,extent+1);
	222	pattern[extent]='\0';
	223	- if (image != (Image *) NULL)
	224	+ if (image != NULL)
	225	{
	226	option=GetImageProperty(image,pattern,exception);
	227	if (option == (const char *) NULL)
	228	@@ -1754,32 +1771,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
	229	(image_info != (ImageInfo *) NULL))
	230	option=GetImageOption(image_info,pattern);
	231	if (option == (const char *) NULL)
	232	- break;
	233	+ continue;
	234	option_length=strlen(option);
	235	- tail_length=strlen(end+1);
	236	- if ((offset+option_length+tail_length+1) > MagickPathExtent)
	237	+ if ((p-filename+option_length) >= MagickPathExtent)
	238	return(0);
	239	- (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
	240	- offset));
	241	- (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
	242	- MagickPathExtent-offset-option_length-tail_length-1));
	243	+ (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
	244	+ p+=option_length;
	245	cursor=end+1;
	246	- break;
	247	+ continue;
	248	}
	249	- default:
	250	- break;
	251	- }
	252	- }
	253	- for (p=filename; *p != '\0'; )
	254	- {
	255	/*
	256	- Replace "%%" with "%".
	257	+ Invalid or unsupported specifier — treat as literal.
	258	*/
	259	- if ((p == '%') && ((p+1) == '%'))
	260	- (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
	261	- else
	262	- p++;
	263	+ cursor=start;
	264	+ if ((p-filename+1) >= MagickPathExtent)
	265	+ return(0);
	266	+ p++=(cursor++);
	267	}
	268	+ *p='\0';
	269	return(strlen(filename));
	270	}
	271
	272	--
	273	2.34.1
	274