Commit 16dd3158c for imagemagick.org
commit 16dd3158ce197c6f65e7798a7a5cc4538bb0303e
Author: Cristy <urban-warrior@imagemagick.org>
Date: Sun Feb 1 14:56:14 2026 -0500
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4
diff --git a/MagickCore/cache.c b/MagickCore/cache.c
index 5f44791bd..d0c63cebe 100644
--- a/MagickCore/cache.c
+++ b/MagickCore/cache.c
@@ -3561,6 +3561,25 @@ static MagickBooleanType MaskPixelCacheNexus(Image *image,NexusInfo *nexus_info,
%
*/
+static inline MagickBooleanType CacheOverflowSanityCheckGetSize(
+ const MagickSizeType count,const size_t quantum,MagickSizeType *const extent)
+{
+ MagickSizeType
+ length;
+
+ if ((count == 0) || (quantum == 0))
+ return(MagickTrue);
+ length=count*quantum;
+ if (quantum != (length/count))
+ {
+ errno=ENOMEM;
+ return(MagickTrue);
+ }
+ if (extent != NULL)
+ *extent=length;
+ return(MagickFalse);
+}
+
static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info,
const MapMode mode)
{
@@ -3711,7 +3730,7 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode,
status;
MagickSizeType
- length,
+ length = 0,
number_pixels;
size_t
@@ -3789,12 +3808,22 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode,
packet_size=MagickMax(cache_info->number_channels,1)*sizeof(Quantum);
if (image->metacontent_extent != 0)
packet_size+=cache_info->metacontent_extent;
- length=number_pixels*packet_size;
+ if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse)
+ {
+ cache_info->storage_class=UndefinedClass;
+ cache_info->length=0;
+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
+ image->filename);
+ }
columns=(size_t) (length/cache_info->rows/packet_size);
if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) ||
((ssize_t) cache_info->rows < 0))
- ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
- image->filename);
+ {
+ cache_info->storage_class=UndefinedClass;
+ cache_info->length=0;
+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
+ image->filename);
+ }
cache_info->length=length;
if (image->ping != MagickFalse)
{
diff --git a/coders/sixel.c b/coders/sixel.c
index 6d8bae399..697da0fe5 100644
--- a/coders/sixel.c
+++ b/coders/sixel.c
@@ -549,7 +549,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
if (max_x < position_x)
max_x = position_x;
if (max_y < (position_y + i))
- max_y = position_y + i;
+ max_y = (int) (position_y + i);
}
sixel_vertical_mask <<= 1;
}
@@ -583,7 +583,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p,
if (max_x < (position_x+repeat_count-1))
max_x = position_x+repeat_count-1;
if (max_y < (position_y+i+n-1))
- max_y = position_y+i+n-1;
+ max_y = (int) (position_y+i+n-1);
i+=(n-1);
sixel_vertical_mask <<= (n-1);
}