package/graphicsmagick: add post-1.3.45 security fixes

Fixes the following security issues:

- CVE-2025-27795: ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks
  image dimension resource limits
  https://nvd.nist.gov/vuln/detail/CVE-2025-27795

- CVE-2025-32460: GraphicsMagick before 8e56520 has a heap-based buffer
  over-read in ReadJXLImage in coders/jxl.c, related to an
  ImportViewPixelArea call.
  https://nvd.nist.gov/vuln/detail/CVE-2025-32460

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1dc1a05d945de53e59dde6dd8e651ca82c0bfc1a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>

package/graphicsmagick/0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch

@@ -0,0 +1,32 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1725886903 18000
+#      Mon Sep 09 08:01:43 2024 -0500
+# Node ID 9bbae7314e3c3b19b830591010ed90bb136b9c42
+# Parent  db3ff8d00c28c38895e1600a28706ce251dac570
+ReadJXLImage(): Apply image dimension resource limits. Addresses oss-fuzz Issue 69728
+
+Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+[Peter: drop ChangeLog/version changes]
+diff --git a/coders/jxl.c b/coders/jxl.c
+--- a/coders/jxl.c
++++ b/coders/jxl.c
+@@ -571,6 +571,7 @@
+                                       basic_info.alpha_bits, basic_info.num_color_channels,
+                                       basic_info.have_animation == JXL_FALSE ? "False" : "True");
+               }
++
+             if (basic_info.num_extra_channels)
+               {
+                 size_t index;
+@@ -637,6 +638,9 @@
+ 
+             image->orientation=convert_orientation(basic_info.orientation);
+ 
++            if (CheckImagePixelLimits(image, exception) != MagickPass)
++              ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
++
+             pixel_format.endianness=JXL_NATIVE_ENDIAN;
+             pixel_format.align=0;
+             if (basic_info.num_color_channels == 1)

package/graphicsmagick/0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch

@@ -0,0 +1,60 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1743004970 18000
+#      Wed Mar 26 11:02:50 2025 -0500
+# Node ID 8e56520435df50f618a03f2721a39a70a515f1cb
+# Parent  036a1376a2a6dc9504c5148249cbd8feaef72de6
+ReadJXLImage(): pixel_format.num_channels needs to be 2 for grayscale matte.
+
+Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+[Peter: drop ChangeLog/version changes]
+
+diff --git a/coders/jxl.c b/coders/jxl.c
+--- a/coders/jxl.c
++++ b/coders/jxl.c
+@@ -658,7 +658,7 @@
+                       ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+                   }
+                 grayscale=MagickTrue;
+-                pixel_format.num_channels=1;
++                pixel_format.num_channels=image->matte ? 2 : 1;
+                 pixel_format.data_type=(basic_info.bits_per_sample <= 8 ? JXL_TYPE_UINT8 :
+                                         (basic_info.bits_per_sample <= 16 ? JXL_TYPE_UINT16 :
+                                          JXL_TYPE_FLOAT));
+@@ -843,6 +843,24 @@
+             size_t
+               out_len;
+ 
++            if (image->logging)
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                                    "JxlPixelFormat:\n"
++                                    "    num_channels: %u\n"
++                                    "    data_type: %s\n"
++                                    "    endianness: %s\n"
++                                    "    align: %" MAGICK_SIZE_T_F "u",
++                                    pixel_format.num_channels,
++                                    pixel_format.data_type == JXL_TYPE_FLOAT ? "float" :
++                                    (pixel_format.data_type == JXL_TYPE_UINT8 ? "uint8" :
++                                     (pixel_format.data_type == JXL_TYPE_UINT16 ? "uint16" :
++                                      (pixel_format.data_type == JXL_TYPE_FLOAT16 ? "float16" :
++                                       "unknown"))) ,
++                                    pixel_format.endianness == JXL_NATIVE_ENDIAN ? "native" :
++                                    (pixel_format.endianness == JXL_LITTLE_ENDIAN ? "little" :
++                                     (pixel_format.endianness == JXL_BIG_ENDIAN ? "big" : "unknown")),
++                                    pixel_format.align);
++
+             status=JxlDecoderImageOutBufferSize(jxl_decoder,&pixel_format,&out_len);
+             if (status != JXL_DEC_SUCCESS)
+               {
+@@ -852,6 +870,10 @@
+                 break;
+               }
+ 
++            if (image->logging)
++              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                                    "JxlDecoderImageOutBufferSize() returns %" MAGICK_SIZE_T_F "u",
++                                    (MAGICK_SIZE_T) out_len);
+             out_buf=MagickAllocateResourceLimitedArray(unsigned char *,out_len,sizeof(*out_buf));
+             if (out_buf == (unsigned char *) NULL)
+               ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image);

package/graphicsmagick/graphicsmagick.mk

@@ -11,6 +11,12 @@ GRAPHICSMAGICK_LICENSE = MIT
 GRAPHICSMAGICK_LICENSE_FILES = Copyright.txt
 GRAPHICSMAGICK_CPE_ID_VENDOR = graphicsmagick
 
+# 0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27795
+
+# 0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-32460
+
 GRAPHICSMAGICK_INSTALL_STAGING = YES
 GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config