From 5897fb65d173a57729026321d5067c9ddca5c56f Mon Sep 17 00:00:00 2001 From: Dirk Lemstra Date: Fri, 6 Mar 2026 13:15:04 +0100 Subject: [PATCH] Added extra check to prevent overflow that could result in a heap over-write (GHSA-qmw5-2p58-xvrc) --- coders/png.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) Index: ImageMagick-7.1.1-43/coders/png.c =================================================================== --- ImageMagick-7.1.1-43.orig/coders/png.c +++ ImageMagick-7.1.1-43/coders/png.c @@ -7655,11 +7655,10 @@ ModuleExport void UnregisterPNGImage(voi % transparent region at the top and/or left. */ -static void -Magick_png_write_raw_profile(const ImageInfo *image_info,png_struct *ping, - png_info *ping_info, unsigned char *profile_type, unsigned char - *profile_description, unsigned char *profile_data, png_uint_32 length, - ExceptionInfo *exception) +static void Magick_png_write_raw_profile(const ImageInfo *image_info, + png_struct *ping,png_info *ping_info,unsigned char *profile_type, + unsigned char *profile_description,unsigned char *profile_data, + png_uint_32 length,ExceptionInfo *exception) { png_charp dp; @@ -7692,7 +7691,7 @@ Magick_png_write_raw_profile(const Image description_length=(png_uint_32) strlen((const char *) profile_description); allocated_length=(png_uint_32) (2*length+(length >> 5)+description_length+ 20); - if (allocated_length < length) + if ((allocated_length < length) || (length >= (PNG_UINT_31_MAX / 2))) { (void) ThrowMagickException(exception,GetMagickModule(),CoderError, "maximum profile length exceeded","`%s'",image_info->filename);