From c54e9b365118972f939b0efcdd5087e106eb8945 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 28 Feb 2026 10:43:30 -0500
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/8573

---
 coders/bmp.c |  3 +++
 coders/dib.c | 28 +++++++++++++++++++++-------
 2 files changed, 24 insertions(+), 7 deletions(-)

Index: ImageMagick-6.8.8-1/coders/bmp.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/bmp.c
+++ ImageMagick-6.8.8-1/coders/bmp.c
@@ -1687,6 +1687,9 @@ static MagickBooleanType WriteBMPImage(c
         bmp_info.compression=(unsigned int) ((type > 3) &&
           (image->matte != MagickFalse) ?  BI_BITFIELDS : BI_RGB);
       }
+    if (BMPOverflowCheck(image->columns,(size_t) bmp_info.bits_per_pixel) !=
+        MagickFalse)
+      ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit");
     bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
     bmp_info.ba_offset=0;
     profile=GetImageProfile(image,"icc");
Index: ImageMagick-6.8.8-1/coders/dib.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/dib.c
+++ ImageMagick-6.8.8-1/coders/dib.c
@@ -455,6 +455,25 @@ static inline size_t MagickMax(const siz
   return(y);
 }
 
+static inline MagickBooleanType HeapOverflowSanityCheckGetSize(
+  const size_t count,const size_t quantum,size_t *const extent)
+{
+  size_t
+    length;
+
+  if ((count == 0) || (quantum == 0))
+    return(MagickTrue);
+  length=count*quantum;
+  if (quantum != (length/count))
+    {
+      errno=ENOMEM;
+      return(MagickTrue);
+    }
+  assert(extent != NULL);
+  *extent=length;
+  return(MagickFalse);
+}
+
 static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   DIBInfo
@@ -493,6 +512,7 @@ static Image *ReadDIBImage(const ImageIn
 
   size_t
     bytes_per_line,
+    extent,
     length;
 
   ssize_t
@@ -653,8 +673,16 @@ static Image *ReadDIBImage(const ImageIn
   */
   if (dib_info.compression == BI_RLE4)
     dib_info.bits_per_pixel<<=1;
-  bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32);
-  length=bytes_per_line*image->rows;
+ if (HeapOverflowSanityCheckGetSize(image->columns,
+      (size_t) dib_info.bits_per_pixel,&extent) != MagickFalse)
+    ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+  if (HeapOverflowSanityCheckGetSize(4,((extent+31)/32),&bytes_per_line) != MagickFalse)
+    ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+  if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,
+      &length) != MagickFalse)
+    ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+  if ((MagickSizeType) (length/256) > GetBlobSize(image))
+    ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
   pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line,
     image->columns+256UL)*sizeof(*pixels));
   if (pixel_info == (MemoryInfo *) NULL)
@@ -1031,7 +1059,9 @@ static MagickBooleanType WriteDIBImage(c
     *q;
 
   size_t
-    bytes_per_line;
+    bytes_per_line,
+    extent,
+    length;
 
   ssize_t
     y;
@@ -1078,14 +1108,20 @@ static MagickBooleanType WriteDIBImage(c
       dib_info.number_colors=(dib_info.bits_per_pixel == 16) ? 0 :
         (1UL << dib_info.bits_per_pixel);
     }
-  bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32);
+  if (HeapOverflowSanityCheckGetSize(image->columns,
+      (size_t) dib_info.bits_per_pixel,&extent) != MagickFalse)
+    ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit");
+  bytes_per_line=4*((extent+31)/32);
+  if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,
+      &length) != MagickFalse)
+    ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit");
   dib_info.size=40;
   dib_info.width=(ssize_t) image->columns;
   dib_info.height=(ssize_t) image->rows;
   dib_info.planes=1;
   dib_info.compression=(size_t) (dib_info.bits_per_pixel == 16 ?
     BI_BITFIELDS : BI_RGB);
-  dib_info.image_size=bytes_per_line*image->rows;
+  dib_info.image_size=(unsigned int) length;
   dib_info.x_pixels=75*39;
   dib_info.y_pixels=75*39;
   switch (image->units)
@@ -1112,7 +1148,7 @@ static MagickBooleanType WriteDIBImage(c
     bytes_per_line,image->columns+256UL)*sizeof(*pixels));
   if (pixels == (unsigned char *) NULL)
     ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
-  (void) ResetMagickMemory(pixels,0,dib_info.image_size);
+  (void) ResetMagickMemory(pixels,0,length);
   switch (dib_info.bits_per_pixel)
   {
     case 1:
@@ -1252,9 +1288,6 @@ static MagickBooleanType WriteDIBImage(c
   if (dib_info.bits_per_pixel == 8)
     if (image_info->compression != NoCompression)
       {
-        size_t
-          length;
-
         /*
           Convert run-length encoded raster pixels.
         */