Dev news

Commit ed448e879 for imagemagick.org

commit ed448e879285db99d2c1207393822713acb510f2
Author: ylwango613 <128395302+ylwango613@users.noreply.github.com>
Date:   Tue Mar 3 02:41:06 2026 +0800

    fix heap over-read in BilateralBlurImage with even-dimension kernels (#8595)

    The mirrored pixel mapping (mid.x-u, mid.y-v) accesses buffer position
    (2*mid - u). For even width 2k, mid=k, so u=0 accesses column 2k=width
    which is one past the buffer end. Reverse the mapping to (u-mid.x,
    v-mid.y) and use signed arithmetic at all three call sites.

diff --git a/MagickCore/effect.c b/MagickCore/effect.c
index 7de1b87c0..d5ba39e54 100644
--- a/MagickCore/effect.c
+++ b/MagickCore/effect.c
@@ -1039,8 +1039,8 @@ MagickExport Image *BilateralBlurImage(const Image *image,const size_t width,
           double
             intensity;

-          r=p+(ssize_t) (GetPixelChannels(image)*MagickMax(width,1)*
-            (size_t) (mid.y-v)+GetPixelChannels(image)*(size_t) (mid.x-u));
+          r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)*
+            (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x);
           intensity=ScaleQuantumToChar((const Quantum) GetPixelIntensity(image,r))-
             (double) ScaleQuantumToChar((const Quantum) GetPixelIntensity(image,p));
           if ((intensity >= -MaxIntensity) && (intensity <= MaxIntensity))
@@ -1084,8 +1084,8 @@ MagickExport Image *BilateralBlurImage(const Image *image,const size_t width,
             {
               for (u=0; u < (ssize_t) MagickMax(width,1); u++)
               {
-                r=p+GetPixelChannels(image)*MagickMax(width,1)*(size_t)
-                  (mid.y-v)+GetPixelChannels(image)*(size_t) (mid.x-u);
+                r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)*
+                  (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x);
                 pixel+=weights[id][n]*(double) r[i];
                 gamma+=weights[id][n];
                 n++;
@@ -1106,8 +1106,8 @@ MagickExport Image *BilateralBlurImage(const Image *image,const size_t width,
               alpha,
               beta;

-            r=p+GetPixelChannels(image)*MagickMax(width,1)*(size_t) (mid.y-v)+
-              GetPixelChannels(image)*(size_t) (mid.x-u);
+            r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)*
+              (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x);
             alpha=(double) (QuantumScale*(double) GetPixelAlpha(image,p));
             beta=(double) (QuantumScale*(double) GetPixelAlpha(image,r));
             pixel+=weights[id][n]*(double) r[i];