imagemagick: Fix CVE vulnerablities

Fix following CVEs for imagemagick:
CVE-2023-5341, CVE-2022-1114, CVE-2023-1289 and CVE-2023-34474

Signed-off-by: Sana Kazi <sanakazi720@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

6 files changed, 247 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch
new file mode 100644
index 0000000000..0bdd67c30b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch
@@ -0,0 +1,44 @@
+From 8043433ba9ce0c550e09f2b3b6a3f5f62d802e6d Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 15 Mar 2022 21:59:33 -0400
+Subject: [PATCH] Coders:
+ https://github.com/ImageMagick/ImageMagick/issues/4947
+
+CVE: CVE-2022-1114
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch]
+Comments: Refreshed the patch as per codebase
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ coders/dcm.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index ce6cecbd68d..879d5694d2a 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3239,18 +3239,17 @@ static Image *ReadDCMImage(const ImageIn
+           RelinquishMagickMemory(info_copy);
+         }
+ 
+-      /*
+-        If we're entering a sequence, push the current image parameters onto
+-        the stack, so we can restore them at the end of the sequence.
+-      */
+       if (strcmp(explicit_vr,"SQ") == 0)
+         {
+-          info_copy=(DCMInfo *) AcquireMagickMemory(sizeof(info));
+-          memcpy(info_copy,&info,sizeof(info));
+-          AppendValueToLinkedList(stack,info_copy);
++          /*
++            If we're entering a sequence, push the current image parameters
++            onto the stack, so we can restore them at the end of the sequence.
++          */
++          DCMInfo *clone_info = (DCMInfo *) AcquireMagickMemory(sizeof(info));
++          (void) memcpy(clone_info,&info,sizeof(info));
++          AppendValueToLinkedList(stack,clone_info);
+           sequence_depth++;
+         }
+-
+       datum=0;
+       if (quantum == 4)
+         {
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch
new file mode 100644
index 0000000000..5f7cd8033f
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch
@@ -0,0 +1,114 @@
+From 9d3dd9192f6710ec8e10f5edda9b7bf67caeb232 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 14:14:36 -0500
+Subject: [PATCH] recursion detection framework
+
+CVE: CVE-2023-1289
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9d3dd9192f6710ec8e10f5edda9b7bf67caeb232.patch]
+Comment: Hunk #2 and #3 for draw.c from orignal patch are excluded from this because
+these hunks remove the piece of code not present in imagemagick 7.0.10.
+Refreshed hunk2 of image.c, draw.h and draw.c
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/constitute.c | 12 ++++++++++++
+ MagickCore/draw.c       | 18 +++---------------
+ MagickCore/draw.h       |  3 +++
+ MagickCore/image.c      |  2 ++
+ MagickCore/image.h      |  3 +++
+ 5 files changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/MagickCore/constitute.c b/MagickCore/constitute.c
+index aa1a0c2682b..5c84602da87 100644
+--- a/MagickCore/constitute.c
++++ b/MagickCore/constitute.c
+@@ -130,6 +130,11 @@
+ %    o exception: return any errors or warnings in this structure.
+ %
+ */
++/*
++  Define declarations.
++*/
++#define MaxReadRecursionDepth  100
++
+ MagickExport Image *ConstituteImage(const size_t columns,const size_t rows,
+   const char *map,const StorageType storage,const void *pixels,
+   ExceptionInfo *exception)
+@@ -558,9 +558,16 @@ MagickExport Image *ReadImage(const Imag
+       if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
+         LockSemaphoreInfo(magick_info->semaphore);
+       status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
++      if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
++        {
++          (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
++            "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
++          status=MagickFalse;
++        }
+       image=(Image *) NULL;
+       if (status != MagickFalse)
+         image=decoder(read_info,exception);
++      ((ImageInfo *) image_info)->recursion_depth--;
+       if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
+         UnlockSemaphoreInfo(magick_info->semaphore);
+     }
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
++index ff78d620afd..c875c07acc6 100644
++--- a/MagickCore/draw.c
+++++ b/MagickCore/draw.c
+@@ -5916,7 +5916,8 @@ MagickExport void GetDrawInfo(const Imag
+   (void) LogMagickEvent(TraceEvent,GetMagickModule(),"...");
+   assert(draw_info != (DrawInfo *) NULL);
+   (void) memset(draw_info,0,sizeof(*draw_info));
+-  clone_info=CloneImageInfo(image_info);
++  draw_info->image_info=image_info;
++  clone_info=CloneImageInfo(draw_info->image_info);
+   GetAffineMatrix(&draw_info->affine);
+   exception=AcquireExceptionInfo();
+   (void) QueryColorCompliance("#000F",AllCompliance,&draw_info->fill,
+diff --git a/MagickCore/draw.h b/MagickCore/draw.h
+index 38a52e20361..69257fc02a1 100644
+--- a/MagickCore/draw.h
++++ b/MagickCore/draw.h
+@@ -340,6 +340,9 @@ typedef struct _DrawInfo
+ 
+   char
+     *id;
++
++  const ImageInfo
++    *image_info;  
+ } DrawInfo;
+ 
+ typedef struct _PrimitiveInfo
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 9bf47e6e01d..8289139bf6f 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -995,6 +995,7 @@ MagickExport ImageInfo *CloneImageInfo(c
+     MagickPathExtent);
+   clone_info->channel=image_info->channel;
+   (void) CloneImageOptions(clone_info,image_info);
++  clone_info->recursion_depth=image_info->recursion_depth;
+   clone_info->debug=IsEventLogging();
+   clone_info->signature=image_info->signature;
+   return(clone_info);
+@@ -1350,6 +1350,7 @@ MagickExport void GetImageInfo(ImageInfo
+   image_info->quality=UndefinedCompressionQuality;
+   image_info->antialias=MagickTrue;
+   image_info->dither=MagickTrue;
++  image_info->depth=0;
+   synchronize=GetEnvironmentValue("MAGICK_SYNCHRONIZE");
+   if (synchronize != (const char *) NULL)
+     {
+diff --git a/MagickCore/image.h b/MagickCore/image.h
+index b9d870a9271..df6bf9bd103 100644
+--- a/MagickCore/image.h
++++ b/MagickCore/image.h
+@@ -492,6 +492,9 @@ struct _ImageInfo
+ 
+   PixelInfo
+     matte_color;        /* matte (frame) color */
++
++  size_t
++    recursion_depth;  /* recursion detection */
+ };
+ 
+ extern MagickExport ChannelType
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch
new file mode 100644
index 0000000000..944754fb3d
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch
@@ -0,0 +1,21 @@
+From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 15:26:32 -0500
+Subject: [PATCH] erecursion detection
+CVE: CVE-2023-1289
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4]
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/MagickCore/draw.c 2025-05-12 13:34:26.689655000 +0530
++++ b/MagickCore/draw.c 2025-05-12 13:45:30.136300211 +0530
+@@ -5526,6 +5526,7 @@ MagickExport MagickBooleanType DrawPrimi
+       if (primitive_info->text == (char *) NULL)
+         break;
+       clone_info=AcquireImageInfo();
++      clone_info->recursion_depth=draw_info->image_info->recursion_depth;      
+       composite_images=(Image *) NULL;
+       if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
+         composite_images=ReadInlineImage(clone_info,primitive_info->text,
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch
new file mode 100644
index 0000000000..e7b7783f47
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch
@@ -0,0 +1,35 @@
+From 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 15 May 2023 14:22:11 -0400
+Subject: [PATCH] carefully crafted image files (TIM2, JPEG) no longer overflow
+ buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of
+ NSFOCUS Security Team)
+
+CVE: CVE-2023-34474
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0.patch]
+Comment: Remove hunk from MagickCore/profile.c. as it fixes as the vulnerable function
+ImageMagick's ReplaceXmpValue() that introduces CVE-2023-34475 is not present in 7.0.10 version
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/profile.c | 5 +++--
+ coders/tim2.c        | 4 +++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/coders/tim2.c b/coders/tim2.c
+index 0445985dcc0..d30afaf05d6 100644
+--- a/coders/tim2.c
++++ b/coders/tim2.c
+@@ -517,10 +517,12 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
+     /*
+       * ### Read CLUT Data ###
+       */
+-    clut_data=(unsigned char *) AcquireQuantumMemory(1,header->clut_size);
++    clut_data=(unsigned char *) AcquireQuantumMemory(2,
++      MagickMax(header->clut_size,image->colors));
+     if (clut_data == (unsigned char *) NULL)
+       ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+         image_info->filename);
++    (void) memset(clut_data,0,2*MagickMax(header->clut_size,image->colors));
+     count=ReadBlob(image,header->clut_size,clut_data);
+     if (count != (ssize_t) (header->clut_size))
+       {
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch
new file mode 100644
index 0000000000..e26dd61fba
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch
@@ -0,0 +1,28 @@
+From aa673b2e4defc7cad5bec16c4fc8324f71e531f1 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 24 Sep 2023 07:28:19 -0400
+Subject: [PATCH] check for BMP file size, poc provided by Hardik Shah of
+ Vehere (Dawn Treaders team)
+
+CVE: CVE-2023-5341
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1.patch]
+Comment: Refresh hunk as per codebase
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ coders/bmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index 94ec6628fdf..7e36d4f481b 100644
+--- a/coders/bmp.c
++++ b/coders/bmp.c
+@@ -625,6 +625,9 @@ static Image *ReadBMPImage(const ImageIn
+     if (image->debug != MagickFalse)
+       (void) LogMagickEvent(CoderEvent,GetMagickModule(),"  BMP size: %u",
+         bmp_info.size);
++    if ((bmp_info.file_size != 0) &&
++        ((MagickSizeType) bmp_info.file_size > GetBlobSize(image)))
++      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     profile_data=0;
+     profile_size=0;
+     if (bmp_info.size == 12)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index 6108dece27..ce5489bb3e 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -18,6 +18,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
     file://CVE-2022-0284.patch \
     file://fix-cipher-leak.patch \
     file://CVE-2022-2719.patch \
+    file://CVE-2022-1114.patch \
+    file://CVE-2023-1289-1.patch \
+    file://CVE-2023-1289.patch \
+    file://CVE-2023-34474.patch \
+    file://CVE-2023-5341.patch \
 "
 
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"