Browse Source
gnu: graphicsmagick: Update to 1.3.27.
gnu: graphicsmagick: Update to 1.3.27.
* gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch, gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch, gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch, gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch, gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch, gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch, gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. * gnu/packages/imagemagick.scm (graphicsmagick): Update to 1.3.27. [source](patches): Remove.python-updates
Marius Bakke
5 years ago
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
11 changed files with 2 additions and 966 deletions
-
9gnu/local.mk
-
14gnu/packages/imagemagick.scm
-
137gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
-
28gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch
-
16gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch
-
28gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch
-
195gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch
-
179gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch
-
80gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
-
72gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
-
210gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
@ -1,137 +0,0 @@ |
|||
http://www.openwall.com/lists/oss-security/2017/09/01/6 |
|||
|
|||
CVE-2017-11403: |
|||
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 |
|||
|
|||
CVE-2017-14103: |
|||
http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f |
|||
|
|||
some changes were made to make the patch apply |
|||
|
|||
# HG changeset patch |
|||
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> |
|||
# Date 1503875721 14400 |
|||
# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 |
|||
# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad |
|||
Attempt to fix Issue 440. |
|||
|
|||
diff -ru a/coders/png.c b/coders/png.c
|
|||
--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
|
|||
+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
|
|||
@@ -3106,7 +3106,9 @@
|
|||
if (length > PNG_MAX_UINT || count == 0) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(CorruptImageError,CorruptImage,image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "chunk length (%lu) > PNG_MAX_UINT",length);
|
|||
+ return ((Image*)NULL);
|
|||
} |
|||
|
|||
chunk=(unsigned char *) NULL; |
|||
@@ -3117,13 +3119,16 @@
|
|||
if (chunk == (unsigned char *) NULL) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
|
|||
- image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " Could not allocate chunk memory");
|
|||
+ return ((Image*)NULL);
|
|||
} |
|||
if (ReadBlob(image,length,chunk) < length) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(CorruptImageError,CorruptImage,image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " chunk reading was incomplete");
|
|||
+ return ((Image*)NULL);
|
|||
} |
|||
p=chunk; |
|||
} |
|||
@@ -3198,7 +3203,7 @@
|
|||
jng_width, jng_height); |
|||
MagickFreeMemory(chunk); |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
|
|||
+ return ((Image *)NULL);
|
|||
} |
|||
|
|||
/* Temporarily set width and height resources to match JHDR */ |
|||
@@ -3233,8 +3238,9 @@
|
|||
if (color_image == (Image *) NULL) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
|
|||
- image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " could not open color_image blob");
|
|||
+ return ((Image *)NULL);
|
|||
} |
|||
if (logging) |
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
|||
@@ -3245,7 +3251,9 @@
|
|||
if (status == MagickFalse) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " could not open color_image blob");
|
|||
+ return ((Image *)NULL);
|
|||
} |
|||
|
|||
if (!image_info->ping && jng_color_type >= 12) |
|||
@@ -3255,17 +3263,18 @@
|
|||
if (alpha_image_info == (ImageInfo *) NULL) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(ResourceLimitError,
|
|||
- MemoryAllocationFailed, image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " could not allocate alpha_image_info",length);
|
|||
+ return ((Image *)NULL);
|
|||
} |
|||
GetImageInfo(alpha_image_info); |
|||
alpha_image=AllocateImage(alpha_image_info); |
|||
if (alpha_image == (Image *) NULL) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- ThrowReaderException(ResourceLimitError,
|
|||
- MemoryAllocationFailed,
|
|||
- alpha_image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " could not allocate alpha_image");
|
|||
+ return ((Image *)NULL);
|
|||
} |
|||
if (logging) |
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
|||
@@ -3277,7 +3286,9 @@
|
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
DestroyImage(alpha_image); |
|||
- ThrowReaderException(CoderError,UnableToOpenBlob,image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " could not allocate alpha_image blob");
|
|||
+ return ((Image *)NULL);
|
|||
} |
|||
if (jng_alpha_compression_method == 0) |
|||
{ |
|||
@@ -3613,6 +3624,8 @@
|
|||
alpha_image = (Image *)NULL; |
|||
DestroyImageInfo(alpha_image_info); |
|||
alpha_image_info = (ImageInfo *)NULL; |
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " Destroy the JNG image");
|
|||
DestroyImage(jng_image); |
|||
jng_image = (Image *)NULL; |
|||
} |
|||
@@ -5146,8 +5159,8 @@
|
|||
|
|||
if (image == (Image *) NULL) |
|||
{ |
|||
- DestroyImageList(previous);
|
|||
CloseBlob(previous); |
|||
+ DestroyImageList(previous);
|
|||
MngInfoFreeStruct(mng_info,&have_mng_structure); |
|||
return((Image *) NULL); |
|||
} |
|||
@ -1,28 +0,0 @@ |
|||
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188. |
|||
|
|||
diff -ur a/coders/png.c b/coders/png.c
|
|||
--- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400
|
|||
+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400
|
|||
@@ -4101,11 +4101,17 @@
|
|||
mng_info->image=image; |
|||
} |
|||
|
|||
- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
|
|||
- > 65535L))
|
|||
- (void) ThrowException(&image->exception,ImageError,
|
|||
- WidthOrHeightExceedsLimit,
|
|||
- image->filename);
|
|||
+ if ((mng_info->mng_width > 65535L) ||
|
|||
+ (mng_info->mng_height > 65535L))
|
|||
+ {
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " MNG width or height is too large: %lu, %lu",
|
|||
+ mng_info->mng_width,mng_info->mng_height);
|
|||
+ MagickFreeMemory(chunk);
|
|||
+ ThrowReaderException(CorruptImageError,
|
|||
+ ImproperImageHeader,image);
|
|||
+ }
|
|||
+
|
|||
FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width, |
|||
mng_info->mng_height); |
|||
mng_info->frame.left=0; |
|||
@ -1,16 +0,0 @@ |
|||
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd. |
|||
|
|||
diff -ur a/coders/wmf.c b/coders/wmf.c
|
|||
--- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400
|
|||
+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400
|
|||
@@ -2719,8 +2719,8 @@
|
|||
if(image->exception.severity != UndefinedException) |
|||
ThrowException2(exception, |
|||
CoderWarning, |
|||
- ddata->image->exception.reason,
|
|||
- ddata->image->exception.description);
|
|||
+ image->exception.reason,
|
|||
+ image->exception.description);
|
|||
|
|||
if(logging) |
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()"); |
|||
@ -1,28 +0,0 @@ |
|||
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978. |
|||
|
|||
diff -ur a/coders/sun.c b/coders/sun.c
|
|||
--- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400
|
|||
+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400
|
|||
@@ -1,5 +1,5 @@
|
|||
/* |
|||
-% Copyright (C) 2003-2015 GraphicsMagick Group
|
|||
+% Copyright (C) 2003-2017 GraphicsMagick Group
|
|||
% Copyright (C) 2002 ImageMagick Studio |
|||
% Copyright 1991-1999 E. I. du Pont de Nemours and Company |
|||
% |
|||
@@ -577,6 +577,7 @@
|
|||
for (bit=7; bit >= 0; bit--) |
|||
{ |
|||
index=((*p) & (0x01 << bit) ? 0x01 : 0x00); |
|||
+ VerifyColormapIndex(image,index);
|
|||
indexes[x+7-bit]=index; |
|||
q[x+7-bit]=image->colormap[index]; |
|||
} |
|||
@@ -587,6 +588,7 @@
|
|||
for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--) |
|||
{ |
|||
index=((*p) & (0x01 << bit) ? 0x01 : 0x00); |
|||
+ VerifyColormapIndex(image,index);
|
|||
indexes[x+7-bit]=index; |
|||
q[x+7-bit]=image->colormap[index]; |
|||
} |
|||
@ -1,195 +0,0 @@ |
|||
http://openwall.com/lists/oss-security/2017/08/31/3 |
|||
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd |
|||
|
|||
some changes were made to make the patch apply |
|||
|
|||
# HG changeset patch |
|||
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> |
|||
# Date 1503774853 18000 |
|||
# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036 |
|||
# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d |
|||
JNX: Fix DOS issues |
|||
|
|||
diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
|
|||
--- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
|
|||
+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
|
|||
@@ -1,5 +1,5 @@
|
|||
/* |
|||
-% Copyright (C) 2012-2015 GraphicsMagick Group
|
|||
+% Copyright (C) 2012-2017 GraphicsMagick Group
|
|||
% |
|||
% This program is covered by multiple licenses, which are described in |
|||
% Copyright.txt. You should have received a copy of Copyright.txt with this |
|||
@@ -100,6 +100,7 @@
|
|||
|
|||
char img_label_str[MaxTextExtent]; |
|||
|
|||
+
|
|||
alloc_size = TileInfo->PicSize + 2; |
|||
|
|||
if (image->logging) |
|||
@@ -242,6 +243,9 @@
|
|||
total_tiles, |
|||
current_tile; |
|||
|
|||
+ magick_off_t
|
|||
+ file_size;
|
|||
+
|
|||
/* Open image file. */ |
|||
assert(image_info != (const ImageInfo *) NULL); |
|||
assert(image_info->signature == MagickSignature); |
|||
@@ -254,9 +258,8 @@
|
|||
if (status == False) |
|||
ThrowReaderException(FileOpenError, UnableToOpenFile, image); |
|||
|
|||
- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
|
|||
-
|
|||
/* Read JNX image header. */ |
|||
+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
|
|||
JNXHeader.Version = ReadBlobLSBLong(image); |
|||
if (JNXHeader.Version > 4) |
|||
ThrowReaderException(CorruptImageError, ImproperImageHeader, image); |
|||
@@ -266,8 +269,6 @@
|
|||
JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image); |
|||
JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image); |
|||
JNXHeader.Levels = ReadBlobLSBLong(image); |
|||
- if (JNXHeader.Levels > 20)
|
|||
- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
|
|||
JNXHeader.Expiration = ReadBlobLSBLong(image); |
|||
JNXHeader.ProductID = ReadBlobLSBLong(image); |
|||
JNXHeader.CRC = ReadBlobLSBLong(image); |
|||
@@ -279,7 +280,41 @@
|
|||
if (EOFBlob(image)) |
|||
ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); |
|||
|
|||
+ file_size = GetBlobSize(image);
|
|||
+
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "JNX Header:\n"
|
|||
+ " Version: %u\n"
|
|||
+ " DeviceSN: %u\n"
|
|||
+ " MapBounds:\n"
|
|||
+ " NorthEast: lat = %u, lon = %u\n"
|
|||
+ " SouthWest: lat = %u, lon = %u\n"
|
|||
+ " Levels: %u\n"
|
|||
+ " Expiration: %u\n"
|
|||
+ " ProductID: %u\n"
|
|||
+ " CRC: %u\n"
|
|||
+ " SigVersion: %u\n"
|
|||
+ " SigOffset: %u\n"
|
|||
+ " ZOrder: %u",
|
|||
+ JNXHeader.Version,
|
|||
+ JNXHeader.DeviceSN,
|
|||
+ JNXHeader.MapBounds.NorthEast.lat,
|
|||
+ JNXHeader.MapBounds.NorthEast.lon,
|
|||
+ JNXHeader.MapBounds.SouthWest.lat,
|
|||
+ JNXHeader.MapBounds.SouthWest.lon,
|
|||
+ JNXHeader.Levels,
|
|||
+ JNXHeader.Expiration,
|
|||
+ JNXHeader.ProductID,
|
|||
+ JNXHeader.CRC,
|
|||
+ JNXHeader.SigVersion,
|
|||
+ JNXHeader.SigOffset,
|
|||
+ JNXHeader.ZOrder);
|
|||
+
|
|||
+ if (JNXHeader.Levels > 20)
|
|||
+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
|
|||
+
|
|||
/* Read JNX image level info. */ |
|||
+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
|
|||
total_tiles = 0; |
|||
current_tile = 0; |
|||
for (i = 0; i < JNXHeader.Levels; i++) |
|||
@@ -302,11 +337,23 @@
|
|||
{ |
|||
JNXLevelInfo[i].Copyright = NULL; |
|||
} |
|||
+
|
|||
+ if (EOFBlob(image))
|
|||
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
|||
+
|
|||
+ if (image->logging)
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "Level[%u] Info:"
|
|||
+ " TileCount: %4u"
|
|||
+ " TilesOffset: %6u"
|
|||
+ " Scale: %04u",
|
|||
+ i,
|
|||
+ JNXLevelInfo[i].TileCount,
|
|||
+ JNXLevelInfo[i].TilesOffset,
|
|||
+ JNXLevelInfo[i].Scale
|
|||
+ );
|
|||
} |
|||
|
|||
- if (EOFBlob(image))
|
|||
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
|||
-
|
|||
/* Get the current limit */ |
|||
SaveLimit = GetMagickResourceLimit(MapResource); |
|||
|
|||
@@ -316,11 +363,32 @@
|
|||
/* Read JNX image data. */ |
|||
for (i = 0; i < JNXHeader.Levels; i++) |
|||
{ |
|||
+ /*
|
|||
+ Validate TileCount against remaining file data
|
|||
+ */
|
|||
+ const magick_off_t current_offset = TellBlob(image);
|
|||
+ const size_t pos_list_entry_size =
|
|||
+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
|
|||
+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
|
|||
+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
|
|||
+ const magick_off_t remaining = file_size-current_offset;
|
|||
+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
|
|||
+
|
|||
+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
|
|||
+ {
|
|||
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
|
|||
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
|||
+ }
|
|||
+
|
|||
PositionList = MagickAllocateArray(TJNXTileInfo *, |
|||
JNXLevelInfo[i].TileCount, |
|||
sizeof(TJNXTileInfo)); |
|||
if (PositionList == NULL) |
|||
- continue;
|
|||
+ {
|
|||
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
|
|||
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
|
|||
+ image);
|
|||
+ }
|
|||
|
|||
(void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET); |
|||
for (j = 0; j < JNXLevelInfo[i].TileCount; j++) |
|||
@@ -333,12 +401,15 @@
|
|||
PositionList[j].PicHeight = ReadBlobLSBShort(image); |
|||
PositionList[j].PicSize = ReadBlobLSBLong(image); |
|||
PositionList[j].PicOffset = ReadBlobLSBLong(image); |
|||
- }
|
|||
|
|||
- if (EOFBlob(image))
|
|||
- {
|
|||
- MagickFreeMemory(PositionList);
|
|||
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
|||
+ if (EOFBlob(image) ||
|
|||
+ ((magick_off_t) PositionList[j].PicOffset +
|
|||
+ PositionList[j].PicSize > file_size))
|
|||
+ {
|
|||
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
|
|||
+ MagickFreeMemory(PositionList);
|
|||
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
|||
+ }
|
|||
} |
|||
|
|||
for (j = 0; j < JNXLevelInfo[i].TileCount; j++) |
|||
@@ -351,6 +422,9 @@
|
|||
image = ExtractTileJPG(image, image_info, PositionList+j, exception); |
|||
(void) SetMonitorHandler(previous_handler); |
|||
|
|||
+ if (exception->severity >= ErrorException)
|
|||
+ break;
|
|||
+
|
|||
current_tile++; |
|||
if (QuantumTick(current_tile,total_tiles)) |
|||
if (!MagickMonitorFormatted(current_tile,total_tiles,exception, |
|||
|
|||
@ -1,179 +0,0 @@ |
|||
http://openwall.com/lists/oss-security/2017/08/31/1 |
|||
http://openwall.com/lists/oss-security/2017/08/31/2 |
|||
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e |
|||
|
|||
some changes were made to make the patch apply |
|||
|
|||
# HG changeset patch |
|||
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> |
|||
# Date 1503779175 18000 |
|||
# Node ID 233a720bfd5efd378f133a776507ed41230da617 |
|||
# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036 |
|||
XBM: Fix DOS issues. |
|||
|
|||
diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
|
|||
--- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500
|
|||
+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500
|
|||
@@ -1,5 +1,5 @@
|
|||
/* |
|||
-% Copyright (C) 2003 -2012 GraphicsMagick Group
|
|||
+% Copyright (C) 2003-2017 GraphicsMagick Group
|
|||
% Copyright (C) 2002 ImageMagick Studio |
|||
% Copyright 1991-1999 E. I. du Pont de Nemours and Company |
|||
% |
|||
@@ -121,13 +121,15 @@
|
|||
|
|||
static int XBMInteger(Image *image,short int *hex_digits) |
|||
{ |
|||
+ unsigned int
|
|||
+ flag;
|
|||
+
|
|||
int |
|||
c, |
|||
- flag,
|
|||
value; |
|||
|
|||
value=0; |
|||
- flag=0;
|
|||
+ flag=0U;
|
|||
for ( ; ; ) |
|||
{ |
|||
c=ReadBlobByte(image); |
|||
@@ -158,18 +160,14 @@
|
|||
Image |
|||
*image; |
|||
|
|||
- int
|
|||
- bit;
|
|||
-
|
|||
- long
|
|||
- y;
|
|||
-
|
|||
register IndexPacket |
|||
*indexes; |
|||
|
|||
- register long
|
|||
+ register size_t
|
|||
+ bytes_per_line,
|
|||
i, |
|||
- x;
|
|||
+ x,
|
|||
+ y;
|
|||
|
|||
register PixelPacket |
|||
*q; |
|||
@@ -177,22 +175,24 @@
|
|||
register unsigned char |
|||
*p; |
|||
|
|||
- short int
|
|||
- hex_digits[256];
|
|||
-
|
|||
unsigned char |
|||
*data; |
|||
|
|||
unsigned int |
|||
+ bit,
|
|||
+ byte,
|
|||
+ padding,
|
|||
+ version;
|
|||
+
|
|||
+ int
|
|||
+ value;
|
|||
+
|
|||
+ short int
|
|||
+ hex_digits[256];
|
|||
+
|
|||
+ MagickPassFail
|
|||
status; |
|||
|
|||
- unsigned long
|
|||
- byte,
|
|||
- bytes_per_line,
|
|||
- padding,
|
|||
- value,
|
|||
- version;
|
|||
-
|
|||
/* |
|||
Open image file. |
|||
*/ |
|||
@@ -207,6 +207,8 @@
|
|||
/* |
|||
Read X bitmap header. |
|||
*/ |
|||
+ (void) memset(buffer,0,sizeof(buffer));
|
|||
+ name[0]='\0';
|
|||
while (ReadBlobString(image,buffer) != (char *) NULL) |
|||
if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2) |
|||
if ((strlen(name) >= 6) && |
|||
@@ -278,6 +280,8 @@
|
|||
/* |
|||
Initialize hex values. |
|||
*/ |
|||
+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
|
|||
+ hex_digits[i]=(-1);
|
|||
hex_digits['0']=0; |
|||
hex_digits['1']=1; |
|||
hex_digits['2']=2; |
|||
@@ -311,40 +315,50 @@
|
|||
*/ |
|||
p=data; |
|||
if (version == 10) |
|||
- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
|
|||
+ for (i=0; i < (bytes_per_line*image->rows); (i+=2))
|
|||
{ |
|||
value=XBMInteger(image,hex_digits); |
|||
+ if (value < 0)
|
|||
+ {
|
|||
+ MagickFreeMemory(data);
|
|||
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
|
|||
+ }
|
|||
*p++=(unsigned char) value; |
|||
if (!padding || ((i+2) % bytes_per_line)) |
|||
*p++=(unsigned char) (value >> 8); |
|||
} |
|||
else |
|||
- for (i=0; i < (long) (bytes_per_line*image->rows); i++)
|
|||
+ for (i=0; i < (bytes_per_line*image->rows); i++)
|
|||
{ |
|||
value=XBMInteger(image,hex_digits); |
|||
+ if (value < 0)
|
|||
+ {
|
|||
+ MagickFreeMemory(data);
|
|||
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
|
|||
+ }
|
|||
*p++=(unsigned char) value; |
|||
} |
|||
/* |
|||
Convert X bitmap image to pixel packets. |
|||
*/ |
|||
p=data; |
|||
- for (y=0; y < (long) image->rows; y++)
|
|||
+ for (y=0; y < image->rows; y++)
|
|||
{ |
|||
q=SetImagePixels(image,0,y,image->columns,1); |
|||
if (q == (PixelPacket *) NULL) |
|||
break; |
|||
indexes=AccessMutableIndexes(image); |
|||
- bit=0;
|
|||
- byte=0;
|
|||
- for (x=0; x < (long) image->columns; x++)
|
|||
+ bit=0U;
|
|||
+ byte=0U;
|
|||
+ for (x=0; x < image->columns; x++)
|
|||
{ |
|||
- if (bit == 0)
|
|||
+ if (bit == 0U)
|
|||
byte=(*p++); |
|||
indexes[x]=byte & 0x01 ? 0x01 : 0x00; |
|||
bit++; |
|||
- byte>>=1;
|
|||
- if (bit == 8)
|
|||
- bit=0;
|
|||
+ byte>>=1U;
|
|||
+ if (bit == 8U)
|
|||
+ bit=0U;
|
|||
} |
|||
if (!SyncImagePixels(image)) |
|||
break; |
|||
|
|||
@ -1,80 +0,0 @@ |
|||
http://openwall.com/lists/oss-security/2017/08/28/5 |
|||
http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d |
|||
|
|||
some changes were made to make the patch apply |
|||
|
|||
# HG changeset patch |
|||
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> |
|||
# Date 1503268616 18000 |
|||
# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 |
|||
# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 |
|||
PNM: For binary formats, verify sufficient backing file data before memory request. |
|||
|
|||
diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
|
|||
--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
|
|||
+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
|
|||
@@ -569,7 +569,7 @@
|
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", |
|||
image->colors); |
|||
} |
|||
- number_pixels=image->columns*image->rows;
|
|||
+ number_pixels=MagickArraySize(image->columns,image->rows);
|
|||
if (number_pixels == 0) |
|||
ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); |
|||
if (image->storage_class == PseudoClass) |
|||
@@ -858,14 +858,14 @@
|
|||
if (1 == bits_per_sample) |
|||
{ |
|||
/* PBM */ |
|||
- bytes_per_row=((image->columns+7) >> 3);
|
|||
+ bytes_per_row=((image->columns+7U) >> 3);
|
|||
import_options.grayscale_miniswhite=MagickTrue; |
|||
quantum_type=GrayQuantum; |
|||
} |
|||
else |
|||
{ |
|||
/* PGM & XV_332 */ |
|||
- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
|
|||
+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
|
|||
if (XV_332_Format == format) |
|||
{ |
|||
quantum_type=IndexQuantum; |
|||
@@ -878,7 +878,8 @@
|
|||
} |
|||
else |
|||
{ |
|||
- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
|
|||
+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
|
|||
+ image->columns);
|
|||
if (3 == samples_per_pixel) |
|||
{ |
|||
/* PPM */ |
|||
@@ -915,6 +916,28 @@
|
|||
is_monochrome=MagickFalse; |
|||
} |
|||
} |
|||
+
|
|||
+ /* Validate file size before allocating memory */
|
|||
+ if (BlobIsSeekable(image))
|
|||
+ {
|
|||
+ const magick_off_t file_size = GetBlobSize(image);
|
|||
+ const magick_off_t current_offset = TellBlob(image);
|
|||
+ if ((file_size > 0) &&
|
|||
+ (current_offset > 0) &&
|
|||
+ (file_size > current_offset))
|
|||
+ {
|
|||
+ const magick_off_t remaining = file_size-current_offset;
|
|||
+ const magick_off_t needed = (magick_off_t) image->rows *
|
|||
+ (magick_off_t) bytes_per_row;
|
|||
+ if ((remaining < (magick_off_t) bytes_per_row) ||
|
|||
+ (remaining < needed))
|
|||
+ {
|
|||
+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
|
|||
+ image->filename);
|
|||
+ break;
|
|||
+ }
|
|||
+ }
|
|||
+ }
|
|||
|
|||
scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); |
|||
if (scanline_set == (ThreadViewDataSet *) NULL) |
|||
@ -1,72 +0,0 @@ |
|||
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa |
|||
http://openwall.com/lists/oss-security/2017/09/06/4 |
|||
|
|||
some changes were made to make the patch apply |
|||
|
|||
# HG changeset patch |
|||
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> |
|||
# Date 1503257388 18000 |
|||
# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 |
|||
# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f |
|||
SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. |
|||
|
|||
diff -r f87246749079 -r 493da54370aa coders/sun.c
|
|||
--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
|
|||
+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
|
|||
@@ -498,6 +498,12 @@
|
|||
if (sun_info.depth < 8) |
|||
image->depth=sun_info.depth; |
|||
|
|||
+ if (image_info->ping)
|
|||
+ {
|
|||
+ CloseBlob(image);
|
|||
+ return(image);
|
|||
+ }
|
|||
+
|
|||
/* |
|||
Compute bytes per line and bytes per image for an unencoded |
|||
image. |
|||
@@ -522,15 +528,37 @@
|
|||
if (bytes_per_image > sun_info.length) |
|||
ThrowReaderException(CorruptImageError,ImproperImageHeader,image); |
|||
|
|||
- if (image_info->ping)
|
|||
- {
|
|||
- CloseBlob(image);
|
|||
- return(image);
|
|||
- }
|
|||
if (sun_info.type == RT_ENCODED) |
|||
sun_data_length=(size_t) sun_info.length; |
|||
else |
|||
sun_data_length=bytes_per_image; |
|||
+
|
|||
+ /*
|
|||
+ Verify that data length claimed by header is supported by file size
|
|||
+ */
|
|||
+ if (sun_info.type == RT_ENCODED)
|
|||
+ {
|
|||
+ if (sun_data_length < bytes_per_image/255U)
|
|||
+ {
|
|||
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
|
|||
+ }
|
|||
+ }
|
|||
+ if (BlobIsSeekable(image))
|
|||
+ {
|
|||
+ const magick_off_t file_size = GetBlobSize(image);
|
|||
+ const magick_off_t current_offset = TellBlob(image);
|
|||
+ if ((file_size > 0) &&
|
|||
+ (current_offset > 0) &&
|
|||
+ (file_size > current_offset))
|
|||
+ {
|
|||
+ const magick_off_t remaining = file_size-current_offset;
|
|||
+ if (remaining < (magick_off_t) sun_data_length)
|
|||
+ {
|
|||
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
|
|||
+ }
|
|||
+ }
|
|||
+ }
|
|||
+
|
|||
sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); |
|||
if (sun_data == (unsigned char *) NULL) |
|||
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); |
|||
|
|||
@ -1,210 +0,0 @@ |
|||
http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a |
|||
http://www.openwall.com/lists/oss-security/2017/09/22/2 |
|||
|
|||
Some changes were made to make the patch apply. |
|||
|
|||
Notably, the DestroyJNG() function in the upstream diff has been replaced by |
|||
its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(), |
|||
and DestroyImage(). See |
|||
http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5. |
|||
|
|||
# HG changeset patch |
|||
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> |
|||
# Date 1504014487 14400 |
|||
# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06 |
|||
# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2 |
|||
Fix Issue 439 |
|||
|
|||
diff -ru a/coders/png.c b/coders/png.c
|
|||
--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
|
|||
+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400
|
|||
@@ -1176,15 +1176,15 @@
|
|||
/* allocate space */ |
|||
if (length == 0) |
|||
{ |
|||
- (void) ThrowException2(&image->exception,CoderWarning,
|
|||
- "invalid profile length",(char *) NULL);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "invalid profile length");
|
|||
return (MagickFail); |
|||
} |
|||
info=MagickAllocateMemory(unsigned char *,length); |
|||
if (info == (unsigned char *) NULL) |
|||
{ |
|||
- (void) ThrowException2(&image->exception,CoderWarning,
|
|||
- "unable to copy profile",(char *) NULL);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "Unable to copy profile");
|
|||
return (MagickFail); |
|||
} |
|||
/* copy profile, skipping white space and column 1 "=" signs */ |
|||
@@ -1197,8 +1197,8 @@
|
|||
if (*sp == '\0') |
|||
{ |
|||
MagickFreeMemory(info); |
|||
- (void) ThrowException2(&image->exception,CoderWarning,
|
|||
- "ran out of profile data",(char *) NULL);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "ran out of profile data");
|
|||
return (MagickFail); |
|||
} |
|||
sp++; |
|||
@@ -1234,8 +1234,9 @@
|
|||
if(SetImageProfile(image,profile_name,info,length) == MagickFail) |
|||
{ |
|||
MagickFreeMemory(info); |
|||
- (void) ThrowException(&image->exception,ResourceLimitError,
|
|||
- MemoryAllocationFailed,"unable to copy profile");
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ "unable to copy profile");
|
|||
+ return MagickFail;
|
|||
} |
|||
MagickFreeMemory(info); |
|||
return MagickTrue; |
|||
@@ -3285,7 +3286,6 @@
|
|||
if (status == MagickFalse) |
|||
{ |
|||
DestroyJNGInfo(color_image_info,alpha_image_info); |
|||
- DestroyImage(alpha_image);
|
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
|||
" could not allocate alpha_image blob"); |
|||
return ((Image *)NULL); |
|||
@@ -3534,7 +3534,7 @@
|
|||
CloseBlob(color_image); |
|||
if (logging) |
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
|||
- " Reading jng_image from color_blob.");
|
|||
+ " Reading jng_image from color_blob.");
|
|||
|
|||
FormatString(color_image_info->filename,"%.1024s",color_image->filename); |
|||
|
|||
@@ -3558,13 +3558,18 @@
|
|||
|
|||
if (logging) |
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
|||
- " Copying jng_image pixels to main image.");
|
|||
+ " Copying jng_image pixels to main image.");
|
|||
image->rows=jng_height; |
|||
image->columns=jng_width; |
|||
length=image->columns*sizeof(PixelPacket); |
|||
+ if ((jng_height == 0 || jng_width == 0) && logging)
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " jng_width=%lu jng_height=%lu",
|
|||
+ (unsigned long)jng_width,(unsigned long)jng_height);
|
|||
for (y=0; y < (long) image->rows; y++) |
|||
{ |
|||
- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
|
|||
+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
|
|||
+ &image->exception);
|
|||
q=SetImagePixels(image,0,y,image->columns,1); |
|||
(void) memcpy(q,s,length); |
|||
if (!SyncImagePixels(image)) |
|||
@@ -3589,45 +3594,79 @@
|
|||
CloseBlob(alpha_image); |
|||
if (logging) |
|||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
|||
- " Reading opacity from alpha_blob.");
|
|||
+ " Reading opacity from alpha_blob.");
|
|||
|
|||
FormatString(alpha_image_info->filename,"%.1024s", |
|||
alpha_image->filename); |
|||
|
|||
jng_image=ReadImage(alpha_image_info,exception); |
|||
|
|||
- for (y=0; y < (long) image->rows; y++)
|
|||
+ if (jng_image == (Image *)NULL)
|
|||
{ |
|||
- s=AcquireImagePixels(jng_image,0,y,image->columns,1,
|
|||
- &image->exception);
|
|||
- if (image->matte)
|
|||
- {
|
|||
- q=SetImagePixels(image,0,y,image->columns,1);
|
|||
- for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|||
- q->opacity=(Quantum) MaxRGB-s->red;
|
|||
- }
|
|||
- else
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " jng_image is NULL.");
|
|||
+ if (color_image_info)
|
|||
+ DestroyImageInfo(color_image_info);
|
|||
+ if (alpha_image_info)
|
|||
+ DestroyImageInfo(alpha_image_info);
|
|||
+ if (color_image)
|
|||
+ DestroyImage(color_image);
|
|||
+ if (alpha_image)
|
|||
+ DestroyImage(alpha_image);
|
|||
+ }
|
|||
+ else
|
|||
+ {
|
|||
+
|
|||
+ if (logging)
|
|||
{ |
|||
- q=SetImagePixels(image,0,y,image->columns,1);
|
|||
- for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|||
- {
|
|||
- q->opacity=(Quantum) MaxRGB-s->red;
|
|||
- if (q->opacity != OpaqueOpacity)
|
|||
- image->matte=MagickTrue;
|
|||
- }
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " Read jng_image.");
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " jng_image->width=%lu, jng_image->height=%lu",
|
|||
+ (unsigned long)jng_width,(unsigned long)jng_height);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " image->rows=%lu, image->columns=%lu",
|
|||
+ (unsigned long)image->rows,
|
|||
+ (unsigned long)image->columns);
|
|||
} |
|||
- if (!SyncImagePixels(image))
|
|||
- break;
|
|||
- }
|
|||
- (void) LiberateUniqueFileResource(alpha_image->filename);
|
|||
- DestroyImage(alpha_image);
|
|||
- alpha_image = (Image *)NULL;
|
|||
- DestroyImageInfo(alpha_image_info);
|
|||
- alpha_image_info = (ImageInfo *)NULL;
|
|||
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
- " Destroy the JNG image");
|
|||
- DestroyImage(jng_image);
|
|||
- jng_image = (Image *)NULL;
|
|||
+
|
|||
+ for (y=0; y < (long) image->rows; y++)
|
|||
+ {
|
|||
+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
|
|||
+ &image->exception);
|
|||
+ if (image->matte)
|
|||
+ {
|
|||
+ q=SetImagePixels(image,0,y,image->columns,1);
|
|||
+ for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|||
+ q->opacity=(Quantum) MaxRGB-s->red;
|
|||
+ }
|
|||
+ else
|
|||
+ {
|
|||
+ q=SetImagePixels(image,0,y,image->columns,1);
|
|||
+ for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|||
+ {
|
|||
+ q->opacity=(Quantum) MaxRGB-s->red;
|
|||
+ if (q->opacity != OpaqueOpacity)
|
|||
+ image->matte=MagickTrue;
|
|||
+ }
|
|||
+ }
|
|||
+ if (!SyncImagePixels(image))
|
|||
+ break;
|
|||
+ }
|
|||
+ (void) LiberateUniqueFileResource(alpha_image->filename);
|
|||
+ if (color_image_info)
|
|||
+ DestroyImageInfo(color_image_info);
|
|||
+ if (alpha_image_info)
|
|||
+ DestroyImageInfo(alpha_image_info);
|
|||
+ if (color_image)
|
|||
+ DestroyImage(color_image);
|
|||
+ if (alpha_image)
|
|||
+ DestroyImage(alpha_image);
|
|||
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|||
+ " Destroy the JNG image");
|
|||
+ DestroyImage(jng_image);
|
|||
+ jng_image = (Image *)NULL;
|
|||
+ }
|
|||
} |
|||
} |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue