Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package GraphicsMagick for openSUSE:Factory 
checked in at 2026-07-10 17:34:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/GraphicsMagick (Old)
 and      /work/SRC/openSUSE:Factory/.GraphicsMagick.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "GraphicsMagick"

Fri Jul 10 17:34:13 2026 rev:107 rq:1364710 version:1.3.47

Changes:
--------
--- /work/SRC/openSUSE:Factory/GraphicsMagick/GraphicsMagick.changes    
2026-06-25 10:51:39.265843771 +0200
+++ /work/SRC/openSUSE:Factory/.GraphicsMagick.new.1991/GraphicsMagick.changes  
2026-07-10 17:35:00.732206978 +0200
@@ -1,0 +2,7 @@
+Thu Jul  9 12:07:43 UTC 2026 - Petr Gajdos <[email protected]>
+
+- added patches
+  CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file 
[bsc#1269891]
+  * GraphicsMagick-CVE-2026-13606.patch
+
+-------------------------------------------------------------------

New:
----
  GraphicsMagick-CVE-2026-13606.patch

----------(New B)----------
  New:  CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file 
[bsc#1269891]
  * GraphicsMagick-CVE-2026-13606.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ GraphicsMagick.spec ++++++
--- /var/tmp/diff_new_pack.UFpv0W/_old  2026-07-10 17:35:04.628340292 +0200
+++ /var/tmp/diff_new_pack.UFpv0W/_new  2026-07-10 17:35:04.632340429 +0200
@@ -37,6 +37,8 @@
 Patch7:         GraphicsMagick-CVE-2026-42050.patch
 # CVE-2026-46523: heap-use-after-free via a crafted MSL image [bsc#1268125]
 Patch8:         GraphicsMagick-CVE-2026-46523.patch
+# CVE-2026-13606: memory corruption via crafted Photo CD (PCD) file 
[bsc#1269891]
+Patch9:         GraphicsMagick-CVE-2026-13606.patch
 BuildRequires:  cups-client
 BuildRequires:  dcraw
 BuildRequires:  gcc-c++

++++++ GraphicsMagick-CVE-2026-13606.patch ++++++
# HG changeset patch
# User Bob Friesenhahn <[email protected]>
# Date 1782310094 18000
#      Wed Jun 24 09:08:14 2026 -0500
# Node ID 937cdd9920bd966517c5f7a3595397af96b6ab6f
# Parent  ae36237cba6a12216b5f40ad42930152ce2ff1ac
coders/pcd.c (ReadPCDImage): Over-provision the per-channel Huffman decode 
buffers and detect any attempt to overflow them.
diff --git a/coders/pcd.c b/coders/pcd.c
--- a/coders/pcd.c
+++ b/coders/pcd.c
@@ -87,8 +87,10 @@
 %
 %
 */
-static void Upsample(const unsigned long width,const unsigned long height,
-                     const unsigned long scaled_width,unsigned char *pixels)
+static void Upsample(const unsigned long width,
+                     const unsigned long height,
+                     const unsigned long scaled_width,
+                     unsigned char * restrict pixels)
 {
   register long
     x,
@@ -198,8 +200,11 @@
   if (EOFBlob(image)) \
     break; \
 }
-static MagickPassFail DecodeImage(Image *image,unsigned char *luma,
-  unsigned char *chroma1,unsigned char *chroma2)
+static MagickPassFail DecodeImage(Image *image,
+                                  const size_t channel_alloc_size,
+                                  unsigned char * restrict luma,
+                                  unsigned char * restrict chroma1,
+                                  unsigned char * restrict chroma2)
 {
   typedef struct PCDTable
   {
@@ -236,7 +241,8 @@
     length;
 
   unsigned char
-    *buffer;
+    *buffer,
+    *plane_end;
 
   unsigned int
     bits,
@@ -332,6 +338,7 @@
   plane=0;
   row=0;
   q=luma;
+  plane_end=luma+channel_alloc_size;
   for ( ; ; )
   {
     if (IsSync)
@@ -351,12 +358,14 @@
           case 0:
           {
             q=luma+row*(size_t)image->columns;
+            plane_end=luma+channel_alloc_size;
             /* count=(long) image->columns; */
             break;
           }
           case 2:
           {
             q=chroma1+(row >> 1)*(size_t)image->columns;
+            plane_end=chroma1+channel_alloc_size;
             /* count=(long) (image->columns >> 1); */
             plane--;
             break;
@@ -364,6 +373,7 @@
           case 3:
           {
             q=chroma2+(row >> 1)*(size_t)image->columns;
+            plane_end=chroma2+channel_alloc_size;
             /* count=(long) (image->columns >> 1); */
             plane--;
             break;
@@ -405,6 +415,17 @@
           PCDGetBits(1);
         continue;
       }
+    /* Detect overflow */
+    if (q >= plane_end)
+      {
+        if (image->logging)
+          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                                "Plane buffer overflow detected!");
+        ThrowException(&image->exception,CorruptImageError,
+                         UnableToUncompressImage,image->filename);
+        status=MagickFail;
+        goto decode_image_error;
+      }
     if (r->key < 128U)
       quantum=(long) (*q)+r->key;
     else
@@ -564,7 +585,8 @@
 
   size_t
     number_pixels,
-    count;
+    count,
+    channel_alloc_size;
 
   unsigned char
     *chroma1 = NULL,
@@ -661,9 +683,13 @@
   number_pixels=MagickArraySize(image->columns,image->rows);
   if (number_pixels == 0 || number_pixels+1 < number_pixels)
     ThrowPCDReaderException(ResourceLimitError,MemoryAllocationFailed,image);
-  chroma1=MagickAllocateResourceLimitedMemory(unsigned char *,number_pixels+1);
-  chroma2=MagickAllocateResourceLimitedMemory(unsigned char *,number_pixels+1);
-  luma=MagickAllocateResourceLimitedMemory(unsigned char *,number_pixels+1);
+  channel_alloc_size=MagickArraySize(number_pixels,10);
+  if (channel_alloc_size == 0 || channel_alloc_size+1 < channel_alloc_size)
+    ThrowPCDReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+  channel_alloc_size++;
+  chroma1=MagickAllocateResourceLimitedClearedMemory(unsigned char 
*,channel_alloc_size);
+  chroma2=MagickAllocateResourceLimitedClearedMemory(unsigned char 
*,channel_alloc_size);
+  luma=MagickAllocateResourceLimitedClearedMemory(unsigned char 
*,channel_alloc_size);
   if ((chroma1 == (unsigned char *) NULL) ||
       (chroma2 == (unsigned char *) NULL) ||
       (luma == (unsigned char *) NULL))
@@ -741,6 +767,12 @@
             q->red=ScaleCharToQuantum(*yy++);
             q->green=ScaleCharToQuantum(*c1++);
             q->blue=ScaleCharToQuantum(*c2++);
+            if (((size_t) (yy-luma) >= channel_alloc_size) ||
+                ((size_t) (c1-chroma1) >= channel_alloc_size) ||
+                ((size_t) (c2-chroma2) >= channel_alloc_size))
+              {
+                
ThrowPCDReaderException(CorruptImageError,UnableToUncompressImage,image);
+              }
             q++;
           }
           if (!SyncImagePixels(image))
@@ -812,7 +844,7 @@
       image->rows=1024;
       for (i=0; i < (4*0x800); i++)
         (void) ReadBlobByte(image);
-      status=DecodeImage(image,luma,chroma1,chroma2);
+      status=DecodeImage(image,channel_alloc_size,luma,chroma1,chroma2);
       if ((subimage >= 5) && status)
         {
           /*
@@ -824,7 +856,7 @@
           image->rows=2048;
           offset=TellBlob(image)/0x800+12;
           (void) SeekBlob(image,offset*0x800,SEEK_SET);
-          status=DecodeImage(image,luma,chroma1,chroma2);
+          status=DecodeImage(image,channel_alloc_size,luma,chroma1,chroma2);
           if ((subimage >= 6) && status)
             {
               /*
@@ -860,6 +892,12 @@
       q->red=ScaleCharToQuantum(*yy++);
       q->green=ScaleCharToQuantum(*c1++);
       q->blue=ScaleCharToQuantum(*c2++);
+      if (((size_t) (yy-luma) >= channel_alloc_size) ||
+          ((size_t) (c1-chroma1) >= channel_alloc_size) ||
+          ((size_t) (c2-chroma2) >= channel_alloc_size))
+        {
+          
ThrowPCDReaderException(CorruptImageError,UnableToUncompressImage,image);
+        }
       q++;
     }
     if (!SyncImagePixels(image))

Reply via email to