Merge updates from debian/bookworm-security

debian/changelog

+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
+
+  * Acknowledge NMU
+  * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder
+  * Fix an heap buffer overflow in TIFF coder
+  * Fix uninitialised value passing in TIFFGetField
+  * Fix stack overflow in TIFF coder
+  * Early exit in case of malformed TIFF file
+  * Fix buffer overrun in TIFF coder
+  * Fix unitialised value in TIFF coder
+  * Fix CVE-2022-1115: Heap based overflow in
+    TIFF coder (Closes: #1013282)
+  * Fix uninitialised value in TIFF coders
+  * Use salsa-ci
+  * Fix CVE-2023-1289: A specially created SVG file loaded itself and
+    causes a segmentation fault. This flaw allows a remote attacker
+    to pass a specially crafted SVG file that leads to a segmentation
+    fault, generating many trash files in "/tmp," resulting in
+    a denial of service. When ImageMagick crashes,
+    it generates a lot of trash files. These trash files
+    can be large if the SVG file contains many render actions.
+    In a denial of service attack, if a remote attacker uploads an SVG file
+    of size t, ImageMagick generates files of size 103*t.
+    If an attacker uploads a 100M SVG, the server will generate about 10G.
+  * Fix CVE-2023-1906: A heap-based buffer overflow issue was
+    discovered in ImageMagick's ImportMultiSpectralQuantum() function
+    in MagickCore/quantum-import.c. An attacker could pass specially
+    crafted file to convert, triggering an out-of-bounds read error,
+    allowing an application to crash, resulting in a denial of service.
+  * Fix CVE-2023-34151: Imagemagick was vulnerable due to
+    an undefined behaviors of casting double to size_t in svg, mvg
+    and other coders. (Closes: #1036999)
+  * Fix CVE-2023-3428: A heap-based buffer overflow vulnerability
+    was found in coders/tiff.c in ImageMagick. This issue
+    may allow a local attacker to trick the user into opening
+    a specially crafted file, resulting in an application crash
+    and denial of service.
+  * Fix CVE-2023-5341: A heap use-after-free flaw was found in
+    coders/bmp.c
+
+ -- Bastien Roucariès <rouca@debian.org>  Mon, 12 Feb 2024 20:15:47 +0000
+
 imagemagick (8:6.9.11.60+dfsg-1.6+apertis1) apertis; urgency=medium
 
   * Sync updates from debian/bookworm

debian/patches/0041-1-2-CVE-2021-3610-eliminate-heap-buffer-overflow-vul.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 27 May 2021 10:32:51 -0400
+Subject: [1/2] CVE-2021-3610 eliminate heap buffer overflow vulnerability in
+ TIFF coder
+
+thanks to ZhangJiaxing (@r0fm1a) from Codesafe Team of Legendsec at Qi'anxin Group
+
+bug: https://github.com/ImageMagick/ImageMagick6/issues/244
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b307bcadcdf6ea6819951ac1786b7904f27b25c6.patch
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2021-3610
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 8e89ec1..3927224 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1872,7 +1872,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         /*
+           Convert stripped TIFF image.
+         */
+-        extent=2*TIFFStripSize(tiff);
++        extent=4*TIFFStripSize(tiff);
+ #if defined(TIFF_VERSION_BIG)
+         extent+=image->columns*sizeof(uint64);
+ #else

debian/patches/0042-2-2-CVE-2021-3610-eliminate-heap-buffer-overflow-vul.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sun, 30 May 2021 20:57:18 -0400
+Subject: [2/2] CVE-2021-3610 eliminate heap buffer overflow vulnerability in
+ TIFF coder
+
+Thanks to ZhangJiaxing (@r0fm1a) from Codesafe Team of Legendsec at Qi'anxin Group
+
+bug: https://github.com/ImageMagick/ImageMagick6/issues/244
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b307bcadcdf6ea6819951ac1786b7904f27b25c6.patch
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2021-3610
+(cherry picked from commit c75ae771a00c38b757c5ef4b424b51e761b02552)
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 3927224..1c84442 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1872,7 +1872,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         /*
+           Convert stripped TIFF image.
+         */
+-        extent=4*TIFFStripSize(tiff);
++        extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
+ #if defined(TIFF_VERSION_BIG)
+         extent+=image->columns*sizeof(uint64);
+ #else

debian/patches/0043-heap-based-buffer-overflow-in-TIFF-coder-alert-from-.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Mon, 26 Jul 2021 13:08:57 -0400
+Subject: heap-based buffer overflow in TIFF coder (alert from Hunter
+ Mitchell)
+
+origin:  https://github.com/ImageMagick/ImageMagick6/commit/e1fbcdf3aad96d51db65c1601117396eac665a6d
+bug: https://github.com/ImageMagick/ImageMagick6/issues/245
+---
+ coders/tiff.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 1c84442..8d552fc 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -2020,7 +2020,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+               columns_remaining=image->columns-x;
+               if ((ssize_t) (x+columns) < (ssize_t) image->columns)
+                 columns_remaining=columns;
+-              if (TIFFReadTile(tiff,tile_pixels,(uint32) x,(uint32) y,0,i) == 0)
++              if (TIFFReadTile(tiff,tile_pixels,(uint32) x,(uint32) y,0,i) == -1)
+                 break;
+               p=tile_pixels;
+               for (row=0; row < rows_remaining; row++)
+@@ -2080,8 +2080,13 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         if (generic_info == (MemoryInfo *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         pixels=(uint32 *) GetVirtualMemoryBlob(generic_info);
+-        (void) TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
++        status=TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
+           image->rows,(uint32 *) pixels,0);
++        if (status == -1)
++          {
++            generic_info=RelinquishVirtualMemory(generic_info);
++            break;
++          }
+         p=pixels+(image->columns*image->rows)-1;
+         for (y=0; y < (ssize_t) image->rows; y++)
+         {

debian/patches/0044-heap-based-buffer-overflow-in-TIFF-coder-alert-from-.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Mon, 26 Jul 2021 13:26:21 -0400
+Subject: heap-based buffer overflow in TIFF coder (alert from Hunter
+ Mitchell)
+
+origin:  https://github.com/ImageMagick/ImageMagick6/commit/35b88c9166bc1b3ce8893f52217bae00d8e2c532
+bug: https://github.com/ImageMagick/ImageMagick6/issues/245
+---
+ coders/tiff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 8d552fc..38badad 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1974,9 +1974,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         extent=TIFFTileSize(tiff);
+ #if defined(TIFF_VERSION_BIG)
+-        extent+=columns*sizeof(uint64);
++        extent=MagickMax(rows*columns*sizeof(uint64),extent);
+ #else
+-        extent+=columns*sizeof(uint32);
++        extent=MagickMax(rows*columns*sizeof(uint32),extent);
+ #endif
+         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*tile_pixels));

debian/patches/0045-heap-based-buffer-overflow-in-TIFF-coder-alert-from-.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Mon, 26 Jul 2021 13:38:45 -0400
+Subject: heap-based buffer overflow in TIFF coder (alert from Hunter
+ Mitchell)
+
+bug: https://github.com/ImageMagick/ImageMagick6/issues/245
+origin: https://github.com/ImageMagick/ImageMagick6/commit/f90a091c7dd12cc53b0999bf49d1c80651534eea
+---
+ coders/tiff.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 38badad..c326559 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1972,12 +1972,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         number_pixels=(MagickSizeType) columns*rows;
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+-        extent=TIFFTileSize(tiff);
+-#if defined(TIFF_VERSION_BIG)
+-        extent=MagickMax(rows*columns*sizeof(uint64),extent);
+-#else
+-        extent=MagickMax(rows*columns*sizeof(uint32),extent);
+-#endif
++        extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*tile_pixels));
+         if (tile_pixels == (unsigned char *) NULL)

debian/patches/0046-Fix-a-non-initialized-value-passed-to-TIFFGetField.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Fri, 3 Sep 2021 19:45:32 -0400
+Subject: Fix a non initialized value passed to TIFFGetField()
+
+bug-oss-fuzz: https://oss-fuzz.com/testcase-detail/6502669439598592
+bug: https://github.com/ImageMagick/ImageMagick6/issues/246
+origin: https://github.com/ImageMagick/ImageMagick6/commit/995de330310dd35531165d9471fe4d31e0fa79ae
+---
+ coders/tiff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index c326559..fd0169f 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1485,6 +1485,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+       }
+     if (TIFFGetFieldDefaulted(tiff,TIFFTAG_ORIENTATION,&orientation,sans) == 1)
+       image->orientation=(OrientationType) orientation;
++    chromaticity=(float *) NULL;
+     if (TIFFGetField(tiff,TIFFTAG_WHITEPOINT,&chromaticity) == 1)
+       {
+         if ((chromaticity != (float *) NULL) && (*chromaticity != 0.0))

debian/patches/0047-initialize-buffer-before-calling-TIFFGetField.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sat, 4 Sep 2021 07:45:17 -0400
+Subject: initialize buffer before calling TIFFGetField()
+
+bug-oss-fuzz: https://oss-fuzz.com/testcase-detail/6502669439598592
+bug: https://github.com/ImageMagick/ImageMagick6/issues/246
+origin: https://github.com/ImageMagick/ImageMagick6/commit/995de330310dd35531165d9471fe4d31e0fa79ae
+---
+ coders/tiff.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index fd0169f..ee250d9 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -685,7 +685,7 @@ static MagickBooleanType TIFFGetProperties(TIFF *tiff,Image *image)
+ {
+   char
+     message[MaxTextExtent],
+-    *text;
++    *text = (char *) NULL;
+ 
+   MagickBooleanType
+     status;
+@@ -694,7 +694,6 @@ static MagickBooleanType TIFFGetProperties(TIFF *tiff,Image *image)
+     count,
+     type;
+ 
+-  text=(char *) NULL;
+   status=MagickTrue;
+   if ((TIFFGetField(tiff,TIFFTAG_ARTIST,&text) == 1) &&
+       (text != (char *) NULL))
+@@ -1013,10 +1012,11 @@ static TIFFMethodType GetJPEGMethod(Image* image,TIFF *tiff,uint16 photometric,
+ 
+ #if defined(TIFF_VERSION_BIG)
+   uint64
++    *value = (uint64 *) NULL;
+ #else
+   uint32
++    *value = (uint32 *) NULL;
+ #endif
+-    *value;
+ 
+   unsigned char
+     buffer[BUFFER_SIZE+32];
+@@ -1033,7 +1033,6 @@ static TIFFMethodType GetJPEGMethod(Image* image,TIFF *tiff,uint16 photometric,
+   /*
+     Search for Adobe APP14 JPEG marker.
+   */
+-  value=NULL;
+   if (!TIFFGetField(tiff,TIFFTAG_STRIPOFFSETS,&value) || (value == NULL))
+     return(ReadStripMethod);
+   position=TellBlob(image);
+@@ -1175,7 +1174,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     *option;
+ 
+   float
+-    *chromaticity,
++    *chromaticity = (float *) NULL,
+     x_position,
+     y_position,
+     x_resolution,
+@@ -1485,7 +1484,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+       }
+     if (TIFFGetFieldDefaulted(tiff,TIFFTAG_ORIENTATION,&orientation,sans) == 1)
+       image->orientation=(OrientationType) orientation;
+-    chromaticity=(float *) NULL;
+     if (TIFFGetField(tiff,TIFFTAG_WHITEPOINT,&chromaticity) == 1)
+       {
+         if ((chromaticity != (float *) NULL) && (*chromaticity != 0.0))
+@@ -1589,9 +1587,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+           range;
+ 
+         uint16
+-          *blue_colormap,
+-          *green_colormap,
+-          *red_colormap;
++          *blue_colormap = (uint16 *) NULL,
++          *green_colormap = (uint16 *) NULL,
++          *red_colormap = (uint16 *) NULL;
+ 
+         /*
+           Initialize colormap.

debian/patches/0048-Fix-stack-overflow-when-parsing-malicious-tiff-image.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Tue, 19 Oct 2021 14:53:41 -0400
+Subject: Fix stack overflow when parsing malicious tiff image
+
+(cherry picked from commit 85a370c79afeb45a97842b0959366af5236e9023)
+origin: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023
+---
+ coders/tiff.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index ee250d9..e650f23 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1972,6 +1972,11 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
++#if defined(TIFF_VERSION_BIG)
++        extent+=image->columns*sizeof(uint64);
++#else
++        extent+=image->columns*sizeof(uint32);
++#endif
+         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*tile_pixels));
+         if (tile_pixels == (unsigned char *) NULL)

debian/patches/0049-early-exit-on-exception.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sat, 6 Nov 2021 09:01:26 -0400
+Subject: early exit on exception
+
+In case of malformed tiff image bail early
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b272acab91444f2115099fe51ee6c91bb4db5d50
+(cherry picked from commit b272acab91444f2115099fe51ee6c91bb4db5d50)
+---
+ coders/tiff.c | 44 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e650f23..fbc6980 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1184,7 +1184,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     *image;
+ 
+   int
+-    tiff_status;
++    tiff_status = 0;
+ 
+   MagickBooleanType
+     more_frames;
+@@ -2019,7 +2019,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+               columns_remaining=image->columns-x;
+               if ((ssize_t) (x+columns) < (ssize_t) image->columns)
+                 columns_remaining=columns;
+-              if (TIFFReadTile(tiff,tile_pixels,(uint32) x,(uint32) y,0,i) == -1)
++              tiff_status=TIFFReadTile(tiff,tile_pixels,(uint32) x,(uint32) y,
++                0,i);
++              if (tiff_status == -1)
+                 break;
+               p=tile_pixels;
+               for (row=0; row < rows_remaining; row++)
+@@ -2079,9 +2081,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         if (generic_info == (MemoryInfo *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         pixels=(uint32 *) GetVirtualMemoryBlob(generic_info);
+-        status=TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
++        tiff_status=TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
+           image->rows,(uint32 *) pixels,0);
+-        if (status == -1)
++        if (tiff_status == -1)
+           {
+             generic_info=RelinquishVirtualMemory(generic_info);
+             break;
+@@ -2130,6 +2132,11 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+   next_tiff_frame:
+     if (quantum_info != (QuantumInfo *) NULL)
+       quantum_info=DestroyQuantumInfo(quantum_info);
++    if (tiff_status == -1)
++      {
++        status=MagickFalse;
++        break;
++      }
+     if (photometric == PHOTOMETRIC_CIELAB)
+       DecodeLabImage(image,exception);
+     if ((photometric == PHOTOMETRIC_LOGL) ||
+@@ -3191,6 +3198,9 @@ static MagickBooleanType WriteTIFFImage(const ImageInfo *image_info,
+   EndianType
+     endian_type;
+ 
++  int
++    tiff_status = 0;
++
+   MagickBooleanType
+     debug,
+     status;
+@@ -3870,7 +3880,8 @@ RestoreMSCWarning
+                 break;
+               (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+                 quantum_info,quantum_type,pixels,&image->exception);
+-              if (TIFFWritePixels(tiff,&tiff_info,y,0,image) == -1)
++              tiff_status=TIFFWritePixels(tiff,&tiff_info,y,0,image);
++              if (tiff_status == -1)
+                 break;
+               if (image->previous == (Image *) NULL)
+                 {
+@@ -3898,7 +3909,8 @@ RestoreMSCWarning
+                 break;
+               (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+                 quantum_info,RedQuantum,pixels,&image->exception);
+-              if (TIFFWritePixels(tiff,&tiff_info,y,0,image) == -1)
++              tiff_status=TIFFWritePixels(tiff,&tiff_info,y,0,image);
++              if (tiff_status == -1)
+                 break;
+             }
+             if (image->previous == (Image *) NULL)
+@@ -3917,7 +3929,8 @@ RestoreMSCWarning
+                 break;
+               (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+                 quantum_info,GreenQuantum,pixels,&image->exception);
+-              if (TIFFWritePixels(tiff,&tiff_info,y,1,image) == -1)
++              tiff_status=TIFFWritePixels(tiff,&tiff_info,y,1,image);
++              if (tiff_status == -1)
+                 break;
+             }
+             if (image->previous == (Image *) NULL)
+@@ -3936,7 +3949,8 @@ RestoreMSCWarning
+                 break;
+               (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+                 quantum_info,BlueQuantum,pixels,&image->exception);
+-              if (TIFFWritePixels(tiff,&tiff_info,y,2,image) == -1)
++              tiff_status=TIFFWritePixels(tiff,&tiff_info,y,2,image);
++              if (tiff_status == -1)
+                 break;
+             }
+             if (image->previous == (Image *) NULL)
+@@ -3957,7 +3971,8 @@ RestoreMSCWarning
+                   break;
+                 (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+                   quantum_info,AlphaQuantum,pixels,&image->exception);
+-                if (TIFFWritePixels(tiff,&tiff_info,y,3,image) == -1)
++                tiff_status=TIFFWritePixels(tiff,&tiff_info,y,3,image);
++                if (tiff_status == -1)
+                   break;
+               }
+             if (image->previous == (Image *) NULL)
+@@ -3991,7 +4006,8 @@ RestoreMSCWarning
+             break;
+           (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+             quantum_info,quantum_type,pixels,&image->exception);
+-          if (TIFFWritePixels(tiff,&tiff_info,y,0,image) == -1)
++          tiff_status=TIFFWritePixels(tiff,&tiff_info,y,0,image);
++          if (tiff_status == -1)
+             break;
+           if (image->previous == (Image *) NULL)
+             {
+@@ -4070,7 +4086,8 @@ RestoreMSCWarning
+             break;
+           (void) ExportQuantumPixels(image,(const CacheView *) NULL,
+             quantum_info,quantum_type,pixels,&image->exception);
+-          if (TIFFWritePixels(tiff,&tiff_info,y,0,image) == -1)
++          tiff_status=TIFFWritePixels(tiff,&tiff_info,y,0,image);
++          if (tiff_status == -1)
+             break;
+           if (image->previous == (Image *) NULL)
+             {
+@@ -4087,6 +4104,11 @@ RestoreMSCWarning
+     if (image->colorspace == LabColorspace)
+       DecodeLabImage(image,&image->exception);
+     DestroyTIFFInfo(&tiff_info);
++    if (tiff_status == -1)
++      {
++        status=MagickFalse;
++        break;
++      }
+     /* TIFFPrintDirectory(tiff,stdout,MagickFalse); */
+     if (TIFFWriteDirectory(tiff) == 0)
+       {

debian/patches/0050-Fix-buffer-overrun-in-TIFF-coder.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sun, 14 Mar 2021 07:44:52 -0400
+Subject: Fix buffer overrun in TIFF coder
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/2204eb57ae00b005b39165a47b8984eac01600a5
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index fbc6980..6c68f8a 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1242,7 +1242,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     *pixels;
+ 
+   void
+-    *sans[2] = { NULL, NULL };
++    *sans[4] = { NULL, NULL, NULL, NULL };
+ 
+   /*
+     Open image.

debian/patches/0051-Fix-buffer-overrun-in-TIFF-coder.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Fri, 17 Dec 2021 14:05:04 -0500
+Subject: Fix buffer overrun in TIFF coder
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/add9cb14e14eef02806715d97abcf5d04a3e55dd
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 6c68f8a..102b2b8 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1242,7 +1242,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     *pixels;
+ 
+   void
+-    *sans[4] = { NULL, NULL, NULL, NULL };
++    *sans[5] = { NULL, NULL, NULL, NULL, NULL };
+ 
+   /*
+     Open image.

debian/patches/0052-Fix-buffer-overrun-in-TIFF-coder.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 17 Mar 2022 15:02:49 -0400
+Subject: Fix buffer overrun in TIFF coder
+
+bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42549
+origin: https://github.com/ImageMagick/ImageMagick6/commit/de6ada9a068b01494bfb848024ed46942da9d238
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 102b2b8..516d4a1 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1242,7 +1242,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     *pixels;
+ 
+   void
+-    *sans[5] = { NULL, NULL, NULL, NULL, NULL };
++    *sans[8] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+ 
+   /*
+     Open image.

debian/patches/0052-Fix-unintialised-value.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 11 Feb 2022 10:46:49 -0500
+Subject: Fix unintialised value
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4830
+origin:  https://github.com/ImageMagick/ImageMagick6/commit/409d42205927c98cbb852ca96e109716f38f04ab
+---
+ coders/tiff.c | 35 ++++++++++++++++-------------------
+ 1 file changed, 16 insertions(+), 19 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 102b2b8..2c38463 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -567,10 +567,7 @@ static MagickBooleanType ReadProfile(Image *image,const char *name,
+       image->filename);
+   status=SetImageProfile(image,name,profile);
+   profile=DestroyStringInfo(profile);
+-  if (status == MagickFalse)
+-    ThrowBinaryImageException(ResourceLimitError,"MemoryAllocationFailed",
+-      image->filename);
+-  return(MagickTrue);
++  return(status);
+ }
+ 
+ #if defined(__cplusplus) || defined(c_plusplus)
+@@ -1217,21 +1214,21 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     method;
+ 
+   uint16
+-    compress_tag,
+-    bits_per_sample,
+-    endian,
+-    extra_samples,
+-    interlace,
+-    max_sample_value,
+-    min_sample_value,
+-    orientation,
+-    pages,
+-    photometric,
+-    *sample_info,
+-    sample_format,
+-    samples_per_pixel,
+-    units,
+-    value;
++    compress_tag = 0,
++    bits_per_sample = 0,
++    endian = 0,
++    extra_samples = 0,
++    interlace = 0,
++    max_sample_value = 0,
++    min_sample_value = 0,
++    orientation = 0,
++    pages = 0,
++    photometric = 0,
++    *sample_info = NULL,
++    sample_format = 0,
++    samples_per_pixel = 0,
++    units = 0,
++    value = 0;
+ 
+   uint32
+     height,

debian/patches/0053-Fix-unintialised-value.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 11 Feb 2022 10:46:49 -0500
+Subject: Fix unintialised value
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4830
+origin:  https://github.com/ImageMagick/ImageMagick6/commit/409d42205927c98cbb852ca96e109716f38f04ab
+---
+ coders/tiff.c | 35 ++++++++++++++++-------------------
+ 1 file changed, 16 insertions(+), 19 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 516d4a1..aad3063 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -567,10 +567,7 @@ static MagickBooleanType ReadProfile(Image *image,const char *name,
+       image->filename);
+   status=SetImageProfile(image,name,profile);
+   profile=DestroyStringInfo(profile);
+-  if (status == MagickFalse)
+-    ThrowBinaryImageException(ResourceLimitError,"MemoryAllocationFailed",
+-      image->filename);
+-  return(MagickTrue);
++  return(status);
+ }
+ 
+ #if defined(__cplusplus) || defined(c_plusplus)
+@@ -1217,21 +1214,21 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     method;
+ 
+   uint16
+-    compress_tag,
+-    bits_per_sample,
+-    endian,
+-    extra_samples,
+-    interlace,
+-    max_sample_value,
+-    min_sample_value,
+-    orientation,
+-    pages,
+-    photometric,
+-    *sample_info,
+-    sample_format,
+-    samples_per_pixel,
+-    units,
+-    value;
++    compress_tag = 0,
++    bits_per_sample = 0,
++    endian = 0,
++    extra_samples = 0,
++    interlace = 0,
++    max_sample_value = 0,
++    min_sample_value = 0,
++    orientation = 0,
++    pages = 0,
++    photometric = 0,
++    *sample_info = NULL,
++    sample_format = 0,
++    samples_per_pixel = 0,
++    units = 0,
++    value = 0;
+ 
+   uint32
+     height,

debian/patches/0054-Raise-exception-when-image-could-not-be-read-but-no-.patch

+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 19 Feb 2022 07:46:46 +0100
+Subject: Raise exception when image could not be read but no exception was
+ raised.
+
+Bail out in case of corrupted image
+
+https://github.com/ImageMagick/ImageMagick6/commit/3e15c68efcb1e6383c93e7dfe38ba6c37e614d1b
+(cherry picked from commit 3e15c68efcb1e6383c93e7dfe38ba6c37e614d1b)
+---
+ coders/tiff.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index aad3063..ac2771a 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1264,6 +1264,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+     TIFFUnmapBlob);
+   if (tiff == (TIFF *) NULL)
+     {
++      if (exception->severity == UndefinedException)
++          ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+       image=DestroyImageList(image);
+       return((Image *) NULL);
+     }

debian/patches/0055-CVE-2022-1115-heap-based-overflow-with-a-specially-c.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 22 Mar 2022 20:11:27 -0400
+Subject: CVE-2022-1115: heap based overflow with a specially crafted TIFF
+ image
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4974
+origin: https://github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad883072203391096b30b51
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index ac2771a..f545c4e 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1970,7 +1970,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         number_pixels=(MagickSizeType) columns*rows;
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+-        extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
++        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ #if defined(TIFF_VERSION_BIG)
+         extent+=image->columns*sizeof(uint64);
+ #else

debian/patches/0056-CVE-2023-1289-recursion-detection-framework.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 14:46:21 -0500
+Subject: CVE-2023-1289: recursion detection framework
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/e8c0090c6d2df7b1553053dca2008e96724204bf
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-1289
+---
+ magick/constitute.c | 12 ++++++++++++
+ magick/draw.c       | 55 +++++++++++++++++++++++++----------------------------
+ magick/draw.h       |  3 +++
+ magick/image.c      |  1 +
+ magick/image.h      |  3 +++
+ 5 files changed, 45 insertions(+), 29 deletions(-)
+
+diff --git a/magick/constitute.c b/magick/constitute.c
+index e05c538..49e8f82 100644
+--- a/magick/constitute.c
++++ b/magick/constitute.c
+@@ -77,6 +77,11 @@
+ #include "magick/transform.h"
+ #include "magick/utility.h"
+ 
++/*  
++  Define declarations.
++*/
++#define MaxReadRecursionDepth  100
++
+ /*
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %                                                                             %
+@@ -558,9 +563,16 @@ MagickExport Image *ReadImage(const ImageInfo *image_info,
+       if ((thread_support & DecoderThreadSupport) == 0)
+         LockSemaphoreInfo(magick_info->semaphore);
+       status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
++      if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
++        {
++          (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
++            "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
++          status=MagickFalse;
++        }
+       image=(Image *) NULL;
+       if (status != MagickFalse)
+         image=GetImageDecoder(magick_info)(read_info,exception);
++      ((ImageInfo *) image_info)->recursion_depth--;
+       if ((thread_support & DecoderThreadSupport) == 0)
+         UnlockSemaphoreInfo(magick_info->semaphore);
+     }
+diff --git a/magick/draw.c b/magick/draw.c
+index e0bbc24..962a42f 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -381,6 +381,7 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info,
+     clone_info->composite_mask=CloneImage(draw_info->composite_mask,0,0,
+       MagickTrue,&draw_info->composite_mask->exception);
+   clone_info->render=draw_info->render;
++  clone_info->image_info=CloneImageInfo(draw_info->image_info);
+   clone_info->debug=IsEventLogging();
+   return(clone_info);
+ }
+@@ -5820,21 +5821,18 @@ MagickExport void GetDrawInfo(const ImageInfo *image_info,DrawInfo *draw_info)
+   ExceptionInfo
+     *exception;
+ 
+-  ImageInfo
+-    *clone_info;
+-
+   /*
+     Initialize draw attributes.
+   */
+   (void) LogMagickEvent(TraceEvent,GetMagickModule(),"...");
+   assert(draw_info != (DrawInfo *) NULL);
+   (void) memset(draw_info,0,sizeof(*draw_info));
+-  clone_info=CloneImageInfo(image_info);
++  draw_info->image_info=CloneImageInfo(image_info);
+   GetAffineMatrix(&draw_info->affine);
+   exception=AcquireExceptionInfo();
+   (void) QueryColorDatabase("#000F",&draw_info->fill,exception);
+   (void) QueryColorDatabase("#FFF0",&draw_info->stroke,exception);
+-  draw_info->stroke_antialias=clone_info->antialias;
++  draw_info->stroke_antialias=draw_info->image_info->antialias;
+   draw_info->stroke_width=1.0;
+   draw_info->fill_rule=EvenOddRule;
+   draw_info->opacity=OpaqueOpacity;
+@@ -5844,64 +5842,64 @@ MagickExport void GetDrawInfo(const ImageInfo *image_info,DrawInfo *draw_info)
+   draw_info->linejoin=MiterJoin;
+   draw_info->miterlimit=10;
+   draw_info->decorate=NoDecoration;
+-  if (clone_info->font != (char *) NULL)
+-    draw_info->font=AcquireString(clone_info->font);
+-  if (clone_info->density != (char *) NULL)
+-    draw_info->density=AcquireString(clone_info->density);
+-  draw_info->text_antialias=clone_info->antialias;
++  if (draw_info->image_info->font != (char *) NULL)
++    draw_info->font=AcquireString(draw_info->image_info->font);
++  if (draw_info->image_info->density != (char *) NULL)
++    draw_info->density=AcquireString(draw_info->image_info->density);
++  draw_info->text_antialias=draw_info->image_info->antialias;
+   draw_info->pointsize=12.0;
+-  if (fabs(clone_info->pointsize) >= MagickEpsilon)
+-    draw_info->pointsize=clone_info->pointsize;
++  if (fabs(draw_info->image_info->pointsize) >= MagickEpsilon)
++    draw_info->pointsize=draw_info->image_info->pointsize;
+   draw_info->undercolor.opacity=(Quantum) TransparentOpacity;
+-  draw_info->border_color=clone_info->border_color;
++  draw_info->border_color=draw_info->image_info->border_color;
+   draw_info->compose=OverCompositeOp;
+-  if (clone_info->server_name != (char *) NULL)
+-    draw_info->server_name=AcquireString(clone_info->server_name);
++  if (draw_info->image_info->server_name != (char *) NULL)
++    draw_info->server_name=AcquireString(draw_info->image_info->server_name);
+   draw_info->render=MagickTrue;
+   draw_info->clip_path=MagickFalse;
+   draw_info->debug=IsEventLogging();
+-  option=GetImageOption(clone_info,"direction");
++  option=GetImageOption(draw_info->image_info,"direction");
+   if (option != (const char *) NULL)
+     draw_info->direction=(DirectionType) ParseCommandOption(
+       MagickDirectionOptions,MagickFalse,option);
+   else
+     draw_info->direction=UndefinedDirection;
+-  option=GetImageOption(clone_info,"encoding");
++  option=GetImageOption(draw_info->image_info,"encoding");
+   if (option != (const char *) NULL)
+     (void) CloneString(&draw_info->encoding,option);
+-  option=GetImageOption(clone_info,"family");
++  option=GetImageOption(draw_info->image_info,"family");
+   if (option != (const char *) NULL)
+     (void) CloneString(&draw_info->family,option);
+-  option=GetImageOption(clone_info,"fill");
++  option=GetImageOption(draw_info->image_info,"fill");
+   if (option != (const char *) NULL)
+     (void) QueryColorDatabase(option,&draw_info->fill,exception);
+-  option=GetImageOption(clone_info,"gravity");
++  option=GetImageOption(draw_info->image_info,"gravity");
+   if (option != (const char *) NULL)
+     draw_info->gravity=(GravityType) ParseCommandOption(MagickGravityOptions,
+       MagickFalse,option);
+-  option=GetImageOption(clone_info,"interline-spacing");
++  option=GetImageOption(draw_info->image_info,"interline-spacing");
+   if (option != (const char *) NULL)
+     draw_info->interline_spacing=GetDrawValue(option,&next_token);
+-  option=GetImageOption(clone_info,"interword-spacing");
++  option=GetImageOption(draw_info->image_info,"interword-spacing");
+   if (option != (const char *) NULL)
+     draw_info->interword_spacing=GetDrawValue(option,&next_token);
+-  option=GetImageOption(clone_info,"kerning");
++  option=GetImageOption(draw_info->image_info,"kerning");
+   if (option != (const char *) NULL)
+     draw_info->kerning=GetDrawValue(option,&next_token);
+-  option=GetImageOption(clone_info,"stroke");
++  option=GetImageOption(draw_info->image_info,"stroke");
+   if (option != (const char *) NULL)
+     (void) QueryColorDatabase(option,&draw_info->stroke,exception);
+-  option=GetImageOption(clone_info,"strokewidth");
++  option=GetImageOption(draw_info->image_info,"strokewidth");
+   if (option != (const char *) NULL)
+     draw_info->stroke_width=GetDrawValue(option,&next_token);
+-  option=GetImageOption(clone_info,"style");
++  option=GetImageOption(draw_info->image_info,"style");
+   if (option != (const char *) NULL)
+     draw_info->style=(StyleType) ParseCommandOption(MagickStyleOptions,
+       MagickFalse,option);
+-  option=GetImageOption(clone_info,"undercolor");
++  option=GetImageOption(draw_info->image_info,"undercolor");
+   if (option != (const char *) NULL)
+     (void) QueryColorDatabase(option,&draw_info->undercolor,exception);
+-  option=GetImageOption(clone_info,"weight");
++  option=GetImageOption(draw_info->image_info,"weight");
+   if (option != (const char *) NULL)
+     {
+       ssize_t
+@@ -5914,7 +5912,6 @@ MagickExport void GetDrawInfo(const ImageInfo *image_info,DrawInfo *draw_info)
+     }
+   exception=DestroyExceptionInfo(exception);
+   draw_info->signature=MagickCoreSignature;
+-  clone_info=DestroyImageInfo(clone_info);
+ }
+ 
+ /*
+diff --git a/magick/draw.h b/magick/draw.h
+index a44ef3a..46e622d 100644
+--- a/magick/draw.h
++++ b/magick/draw.h
+@@ -354,6 +354,9 @@ typedef struct _DrawInfo
+ 
+   char
+     *id;
++
++  ImageInfo
++    *image_info;
+ } DrawInfo;
+ 
+ typedef struct _PrimitiveInfo
+diff --git a/magick/image.c b/magick/image.c
+index 1fc3617..9ee22d8 100644
+--- a/magick/image.c
++++ b/magick/image.c
+@@ -1008,6 +1008,7 @@ MagickExport ImageInfo *CloneImageInfo(const ImageInfo *image_info)
+   clone_info->subimage=image_info->scene;  /* deprecated */
+   clone_info->subrange=image_info->number_scenes;  /* deprecated */
+   clone_info->channel=image_info->channel;
++  clone_info->recursion_depth=image_info->recursion_depth;
+   clone_info->debug=IsEventLogging();
+   clone_info->signature=image_info->signature;
+   return(clone_info);
+diff --git a/magick/image.h b/magick/image.h
+index ac69bef..e71df13 100644
+--- a/magick/image.h
++++ b/magick/image.h
+@@ -499,6 +499,9 @@ struct _ImageInfo
+ 
+   MagickBooleanType
+     synchronize;
++
++  size_t
++    recursion_depth;  /* recursion detection */
+ };
+ 
+ extern MagickExport ExceptionType

debian/patches/0057-CVE-2023-1289-recursion-detection.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 15:26:32 -0500
+Subject: CVE-2023-1289 recursion detection
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/706d381b7eb79927d328c96f7b7faab5dc109368
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-1289
+---
+ magick/draw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 962a42f..918d27f 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5444,6 +5444,7 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+       if (primitive_info->text == (char *) NULL)
+         break;
+       clone_info=AcquireImageInfo();
++      clone_info->recursion_depth=draw_info->image_info->recursion_depth;
+       composite_images=(Image *) NULL;
+       if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
+         composite_images=ReadInlineImage(clone_info,primitive_info->text,

debian/patches/0058-CVE-2023-1906.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 1 Apr 2023 07:32:01 -0400
+Subject: CVE-2023-1906
+
+A heap-based buffer overflow issue was discovered in ImageMagick's
+ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c.
+An attacker could pass specially crafted file to convert, triggering
+an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d
+---
+ coders/tiff.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index f545c4e..9b06c24 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1870,7 +1870,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         /*
+           Convert stripped TIFF image.
+         */
+-        extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
++        extent=MagickMax(sizeof(uint32),(samples_per_pixel+extra_samples)*
++          (image->depth+7)/8)*image->columns*rows_per_strip;
+ #if defined(TIFF_VERSION_BIG)
+         extent+=image->columns*sizeof(uint64);
+ #else
+@@ -1970,7 +1971,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         number_pixels=(MagickSizeType) columns*rows;
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+-        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
++        extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
++          TIFFTileSize(tiff));
+ #if defined(TIFF_VERSION_BIG)
+         extent+=image->columns*sizeof(uint64);
+ #else
+@@ -2071,11 +2073,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         number_pixels=(MagickSizeType) image->columns*image->rows;
+-#if defined(TIFF_VERSION_BIG)
+-        number_pixels+=image->columns*sizeof(uint64);
+-#else
+-        number_pixels+=image->columns*sizeof(uint32);
+-#endif
+         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
+         if (generic_info == (MemoryInfo *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");