Commit 7fe4dbabe for imagemagick.org
commit 7fe4dbabe5d50057513d5d16eb9cbfa0734b4848
Author: Cristy <urban-warrior@imagemagick.org>
Date: Wed Mar 4 22:07:04 2026 -0500
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h95r-c8c7-mrwx
diff --git a/coders/uhdr.c b/coders/uhdr.c
index 311d6df4a..a59b08ca2 100644
--- a/coders/uhdr.c
+++ b/coders/uhdr.c
@@ -625,7 +625,8 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info,
aligned_width;
size_t
- picSize;
+ picSize,
+ sans;
void
*crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL;
@@ -676,30 +677,33 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info,
"ImproperImageHeader","%s",image->filename);
goto next_image;
}
- if ((bpp < 4) && (HeapOverflowSanityCheckGetSize(picSize,1.5,&picSize) != MagickFalse))
+ if ((bpp < 4) && (HeapOverflowSanityCheckGetSize(picSize,3,&sans) != MagickFalse))
{
(void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError,
"ImproperImageHeader","%s",image->filename);
goto next_image;
}
+ picSize=3*picsize/2;
- if (image->depth < hdrIntentMinDepth && image->depth != 8)
+ if ((image->depth < hdrIntentMinDepth) && (image->depth != 8))
{
(void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning,
"Received image with unexpected bit depth","%s","ignoring ...");
goto next_image;
}
- if (image->depth >= hdrIntentMinDepth && hdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL)
+ if ((image->depth >= hdrIntentMinDepth) &&
+ (hdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL))
{
(void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning,
"Received multiple hdr intent resources, ","%s","overwriting ...");
RelinquishMagickMemory(hdrImgDescriptor.planes[UHDR_PLANE_Y]);
hdrImgDescriptor.planes[UHDR_PLANE_Y] = NULL;
}
- else if (image->depth == 8 && sdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL)
+ else if ((image->depth == 8) &&
+ (sdrImgDescriptor.planes[UHDR_PLANE_Y] != NULL))
{
- (void) ThrowMagickException(exception, GetMagickModule(), ConfigureWarning,
+ (void) ThrowMagickException(exception,GetMagickModule(),ConfigureWarning,
"Received multiple sdr intent resources, ","%s","overwriting ...");
RelinquishMagickMemory(sdrImgDescriptor.planes[UHDR_PLANE_Y]);
sdrImgDescriptor.planes[UHDR_PLANE_Y] = NULL;