Commit ffe589df5 for imagemagick.org

commit ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed
Author: Dirk Lemstra <dirk@lemstra.org>
Date:   Fri Feb 6 21:03:53 2026 +0100

    Prevent out of bounds heap write in uhdr encoder (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h)

diff --git a/coders/uhdr.c b/coders/uhdr.c
index fc436595e..101d6a90f 100644
--- a/coders/uhdr.c
+++ b/coders/uhdr.c
@@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info,
   {
     /* Classify image as hdr/sdr intent basing on depth */
     int
-      bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
-
-    int
-      aligned_width = image->columns + (image->columns & 1);
-
-    int
-      aligned_height = image->rows + (image->rows & 1);
+      bpp;

     ssize_t
-      picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
+      aligned_height,
+      aligned_width;
+
+    size_t
+      picSize;

     void
       *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL;

+    if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) ||
+        ((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0)))
+      {
+        (void) ThrowMagickException(exception,GetMagickModule(),ImageError,
+          "WidthOrHeightExceedsLimit","%s",image->filename);
+        goto next_image;
+    }
+    bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
+    aligned_width = image->columns + (image->columns & 1);
+    picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
     if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace))
     {
       if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR)