Commit d67eef717 for imagemagick.org
commit d67eef71764cfeca07b4edf8a8ae922180f5f2e4
Author: Dirk Lemstra <dirk@lemstra.org>
Date: Sun May 3 14:08:40 2026 +0200
Set a limit to the kernel order to avoid an overflow resulting in a divide by zero (GHSA-vf33-6r7x-66xx)
diff --git a/MagickCore/morphology.c b/MagickCore/morphology.c
index 3bcd99b38..95589fd93 100644
--- a/MagickCore/morphology.c
+++ b/MagickCore/morphology.c
@@ -92,19 +92,12 @@
#define Maximize(assign,value) assign=MagickMax(assign,value)
/* Integer Factorial Function - for a Binomial kernel */
-#if 1
static inline size_t fact(size_t n)
{
size_t f,l;
for(f=1, l=2; l <= n; f=f*l, l++);
return(f);
}
-#elif 1 /* glibc floating point alternatives */
-#define fact(n) (CastDoubleToSizeT(tgamma((double) n+1)))
-#else
-#define fact(n) (CastDoubleToSizeT(lgamma((double) n+1)))
-#endif
-
/* Currently these are only internal to this module */
static void
@@ -1304,6 +1297,9 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
}
case BinomialKernel:
{
+ const size_t
+ max_order = (sizeof(size_t) > 4) ? 20 : 12;
+
size_t
order_f;
@@ -1313,6 +1309,10 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
+ /* Check if kernel order (width-1) would overflow fact() */
+ if ((kernel->width-1) > max_order)
+ return(DestroyKernelInfo(kernel));
+
order_f = fact(kernel->width-1);
kernel->values=(MagickRealType *) MagickAssumeAligned(