[Buildroot] [git commit branch/2025.02.x] package/graphicsmagick: add patch for CVE-2025-27796
Thomas Perale
thomas.perale at mind.be
Fri Mar 6 13:16:27 UTC 2026
commit: https://gitlab.com/buildroot.org/buildroot/-/commit/80fff34d7b5e579042f32349e3180b8070214c2c
branch: https://gitlab.com/buildroot.org/buildroot/-/tree/2025.02.x
Fixes the following vulnerability:
- CVE-2025-27796:
ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette
buffer allocation, resulting in out-of-bounds access to heap memory in
ReadBlob.
For more information, see
- https://www.cve.org/CVERecord?id=CVE-2025-27796
- https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 6f9f9caa4516be5ca291c8da834710fe7cd0dc23)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
...-buffer-is-allocated-and-the-current-size.patch | 55 ++++++++++++++++++++++
package/graphicsmagick/graphicsmagick.mk | 3 ++
2 files changed, 58 insertions(+)
diff --git a/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
new file mode 100644
index 0000000000..8a98034833
--- /dev/null
+++ b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
@@ -0,0 +1,55 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen at GraphicsMagick.org>
+# Date 1734634653 21600
+# Thu Dec 19 12:57:33 2024 -0600
+# Node ID 883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
+# Parent cf7cd5ebabb0ca40204de7539f4fb9ae02121958
+ReadWPGImage(): Assure that palette buffer is allocated and the current size.
+
+CVE: CVE-2025-27796
+Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
+[thomas: remove changelog and binary]
+Signed-off-by: Thomas Perale <thomas.perale at mind.be>
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -1704,28 +1704,23 @@
+ ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+ }
+
+- if(pPalette!=NULL &&
+- PaletteAllocBytes < 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries))
+- {
+- MagickFreeResourceLimitedMemory(pPalette);
+- PaletteAllocBytes = 0;
+- }
++ /* Assure that buffer is allocated and the current size */
++ if (PaletteAllocBytes != Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256))
++ {
++ PaletteAllocBytes = Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256);
++ MagickReallocateResourceLimitedMemory(unsigned char *,pPalette,PaletteAllocBytes);
++ }
+ if(pPalette==NULL)
+- {
+- PaletteItems = WPG_Palette.NumOfEntries;
+- PaletteAllocBytes = 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries);
+- if(PaletteAllocBytes < 4*256) PaletteAllocBytes = 4*256;
+- pPalette = MagickAllocateResourceLimitedMemory(unsigned char *,(size_t)PaletteAllocBytes);
+- if(pPalette==NULL)
+- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+- for(i=0; i<=255; i++)
++ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
++
++ PaletteItems = WPG_Palette.NumOfEntries;
++ for(i=0; i<=255; i++)
+ {
+ pPalette[4*i] = WPG1_Palette[i].Red;
+ pPalette[4*i+1] = WPG1_Palette[i].Green;
+ pPalette[4*i+2] = WPG1_Palette[i].Blue;
+ pPalette[4*i+3] = OpaqueOpacity;
+ }
+- }
+ if(ReadBlob(image,(size_t) PaletteItems*4,pPalette+((size_t)4*WPG_Palette.StartIndex)) != (size_t) PaletteItems*4)
+ {
+ MagickFreeResourceLimitedMemory(pPalette);
diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
index 6c2885b7d8..e329e51b70 100644
--- a/package/graphicsmagick/graphicsmagick.mk
+++ b/package/graphicsmagick/graphicsmagick.mk
@@ -26,6 +26,9 @@ GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27795
# 0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-32460
+# 0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27796
+
GRAPHICSMAGICK_INSTALL_STAGING = YES
GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
More information about the buildroot
mailing list