[Buildroot] [PATCH 3/4] package/graphicsmagick: add patch for CVE-2025-27796

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Grzegorz Blach <grzegorz@blach.pl>
Subject: [Buildroot] [PATCH 3/4] package/graphicsmagick: add patch for CVE-2025-27796
Date: Tue,  3 Mar 2026 09:13:22 +0100	[thread overview]
Message-ID: <20260303081323.53405-3-thomas.perale@mind.be> (raw)
In-Reply-To: <20260303081323.53405-1-thomas.perale@mind.be>

Fixes the following vulnerability:

- CVE-2025-27796:
    ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette
    buffer allocation, resulting in out-of-bounds access to heap memory in
    ReadBlob.

For more information, see
  - https://www.cve.org/CVERecord?id=CVE-2025-27796
  - https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...er-is-allocated-and-the-current-size.patch | 55 +++++++++++++++++++
 package/graphicsmagick/graphicsmagick.mk      |  3 +
 2 files changed, 58 insertions(+)
 create mode 100644 package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch

diff --git a/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
new file mode 100644
index 0000000000..8a98034833
--- /dev/null
+++ b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
@@ -0,0 +1,55 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1734634653 21600
+#      Thu Dec 19 12:57:33 2024 -0600
+# Node ID 883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
+# Parent  cf7cd5ebabb0ca40204de7539f4fb9ae02121958
+ReadWPGImage(): Assure that palette buffer is allocated and the current size.
+
+CVE: CVE-2025-27796
+Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
+[thomas: remove changelog and binary]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -1704,28 +1704,23 @@
+                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+               }
+ 
+-              if(pPalette!=NULL &&
+-                 PaletteAllocBytes < 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries))
+-              {
+-                MagickFreeResourceLimitedMemory(pPalette);
+-                PaletteAllocBytes = 0;
+-              }
++              /* Assure that buffer is allocated and the current size */
++              if (PaletteAllocBytes != Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256))
++                {
++                  PaletteAllocBytes = Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256);
++                  MagickReallocateResourceLimitedMemory(unsigned char *,pPalette,PaletteAllocBytes);
++                }
+               if(pPalette==NULL)
+-              {
+-                PaletteItems = WPG_Palette.NumOfEntries;
+-                PaletteAllocBytes = 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries);
+-                if(PaletteAllocBytes < 4*256) PaletteAllocBytes = 4*256;
+-                pPalette = MagickAllocateResourceLimitedMemory(unsigned char *,(size_t)PaletteAllocBytes);
+-                if(pPalette==NULL)
+-                    ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+-                for(i=0; i<=255; i++)
++                ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
++
++              PaletteItems = WPG_Palette.NumOfEntries;
++              for(i=0; i<=255; i++)
+                 {
+                   pPalette[4*i] = WPG1_Palette[i].Red;
+                   pPalette[4*i+1] = WPG1_Palette[i].Green;
+                   pPalette[4*i+2] = WPG1_Palette[i].Blue;
+                   pPalette[4*i+3] = OpaqueOpacity;
+                 }
+-              }
+               if(ReadBlob(image,(size_t) PaletteItems*4,pPalette+((size_t)4*WPG_Palette.StartIndex)) != (size_t) PaletteItems*4)
+               {
+                 MagickFreeResourceLimitedMemory(pPalette);
diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
index 6c2885b7d8..e329e51b70 100644
--- a/package/graphicsmagick/graphicsmagick.mk
+++ b/package/graphicsmagick/graphicsmagick.mk
@@ -26,6 +26,9 @@ GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27795
 # 0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
 GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-32460
 
+# 0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27796
+
 GRAPHICSMAGICK_INSTALL_STAGING = YES
 GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
 
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
