From ed448e879285db99d2c1207393822713acb510f2 Mon Sep 17 00:00:00 2001
From: ylwango613 <128395302+ylwango613@users.noreply.github.com>
Date: Tue, 3 Mar 2026 02:41:06 +0800
Subject: [PATCH] fix heap over-read in BilateralBlurImage with even-dimension
 kernels (#8595)

The mirrored pixel mapping (mid.x-u, mid.y-v) accesses buffer position
(2*mid - u). For even width 2k, mid=k, so u=0 accesses column 2k=width
which is one past the buffer end. Reverse the mapping to (u-mid.x,
v-mid.y) and use signed arithmetic at all three call sites.
---
 MagickCore/effect.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

Index: ImageMagick-7.1.1-43/MagickCore/effect.c
===================================================================
--- ImageMagick-7.1.1-43.orig/MagickCore/effect.c
+++ ImageMagick-7.1.1-43/MagickCore/effect.c
@@ -1038,8 +1038,8 @@ MagickExport Image *BilateralBlurImage(c
           double
             intensity;
 
-          r=p+(ssize_t) (GetPixelChannels(image)*MagickMax(width,1)*
-            (size_t) (mid.y-v)+GetPixelChannels(image)*(size_t) (mid.x-u));
+          r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)*
+            (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x);
           intensity=ScaleQuantumToChar(GetPixelIntensity(image,r))-
             (double) ScaleQuantumToChar(GetPixelIntensity(image,p));
           if ((intensity >= -MaxIntensity) && (intensity <= MaxIntensity))
@@ -1083,8 +1083,8 @@ MagickExport Image *BilateralBlurImage(c
             {
               for (u=0; u < (ssize_t) MagickMax(width,1); u++)
               {
-                r=p+GetPixelChannels(image)*MagickMax(width,1)*(size_t)
-                  (mid.y-v)+GetPixelChannels(image)*(size_t) (mid.x-u);
+                r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)*
+                  (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x);
                 pixel+=weights[id][n]*(double) r[i];
                 gamma+=weights[id][n];
                 n++;
@@ -1105,8 +1105,8 @@ MagickExport Image *BilateralBlurImage(c
               alpha,
               beta;
 
-            r=p+GetPixelChannels(image)*MagickMax(width,1)*(size_t) (mid.y-v)+
-              GetPixelChannels(image)*(size_t) (mid.x-u);
+            r=p+(ssize_t) GetPixelChannels(image)*(ssize_t) MagickMax(width,1)*
+              (v-mid.y)+(ssize_t) GetPixelChannels(image)*(u-mid.x);
             alpha=(double) (QuantumScale*(double) GetPixelAlpha(image,p));
             beta=(double) (QuantumScale*(double) GetPixelAlpha(image,r));
             pixel+=weights[id][n]*(double) r[i];