Mirror of GNU Guix
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

195 lines
7.2 KiB

http://openwall.com/lists/oss-security/2017/08/31/3
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd
some changes were made to make the patch apply
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503774853 18000
# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036
# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d
JNX: Fix DOS issues
diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
--- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2012-2015 GraphicsMagick Group
+% Copyright (C) 2012-2017 GraphicsMagick Group
%
% This program is covered by multiple licenses, which are described in
% Copyright.txt. You should have received a copy of Copyright.txt with this
@@ -100,6 +100,7 @@
char img_label_str[MaxTextExtent];
+
alloc_size = TileInfo->PicSize + 2;
if (image->logging)
@@ -242,6 +243,9 @@
total_tiles,
current_tile;
+ magick_off_t
+ file_size;
+
/* Open image file. */
assert(image_info != (const ImageInfo *) NULL);
assert(image_info->signature == MagickSignature);
@@ -254,9 +258,8 @@
if (status == False)
ThrowReaderException(FileOpenError, UnableToOpenFile, image);
- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
-
/* Read JNX image header. */
+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
JNXHeader.Version = ReadBlobLSBLong(image);
if (JNXHeader.Version > 4)
ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
@@ -266,8 +269,6 @@
JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
JNXHeader.Levels = ReadBlobLSBLong(image);
- if (JNXHeader.Levels > 20)
- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
JNXHeader.Expiration = ReadBlobLSBLong(image);
JNXHeader.ProductID = ReadBlobLSBLong(image);
JNXHeader.CRC = ReadBlobLSBLong(image);
@@ -279,7 +280,41 @@
if (EOFBlob(image))
ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ file_size = GetBlobSize(image);
+
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "JNX Header:\n"
+ " Version: %u\n"
+ " DeviceSN: %u\n"
+ " MapBounds:\n"
+ " NorthEast: lat = %u, lon = %u\n"
+ " SouthWest: lat = %u, lon = %u\n"
+ " Levels: %u\n"
+ " Expiration: %u\n"
+ " ProductID: %u\n"
+ " CRC: %u\n"
+ " SigVersion: %u\n"
+ " SigOffset: %u\n"
+ " ZOrder: %u",
+ JNXHeader.Version,
+ JNXHeader.DeviceSN,
+ JNXHeader.MapBounds.NorthEast.lat,
+ JNXHeader.MapBounds.NorthEast.lon,
+ JNXHeader.MapBounds.SouthWest.lat,
+ JNXHeader.MapBounds.SouthWest.lon,
+ JNXHeader.Levels,
+ JNXHeader.Expiration,
+ JNXHeader.ProductID,
+ JNXHeader.CRC,
+ JNXHeader.SigVersion,
+ JNXHeader.SigOffset,
+ JNXHeader.ZOrder);
+
+ if (JNXHeader.Levels > 20)
+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+
/* Read JNX image level info. */
+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
total_tiles = 0;
current_tile = 0;
for (i = 0; i < JNXHeader.Levels; i++)
@@ -302,11 +337,23 @@
{
JNXLevelInfo[i].Copyright = NULL;
}
+
+ if (EOFBlob(image))
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Level[%u] Info:"
+ " TileCount: %4u"
+ " TilesOffset: %6u"
+ " Scale: %04u",
+ i,
+ JNXLevelInfo[i].TileCount,
+ JNXLevelInfo[i].TilesOffset,
+ JNXLevelInfo[i].Scale
+ );
}
- if (EOFBlob(image))
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-
/* Get the current limit */
SaveLimit = GetMagickResourceLimit(MapResource);
@@ -316,11 +363,32 @@
/* Read JNX image data. */
for (i = 0; i < JNXHeader.Levels; i++)
{
+ /*
+ Validate TileCount against remaining file data
+ */
+ const magick_off_t current_offset = TellBlob(image);
+ const size_t pos_list_entry_size =
+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
+ const magick_off_t remaining = file_size-current_offset;
+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
+
+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
+ {
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+
PositionList = MagickAllocateArray(TJNXTileInfo *,
JNXLevelInfo[i].TileCount,
sizeof(TJNXTileInfo));
if (PositionList == NULL)
- continue;
+ {
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+ image);
+ }
(void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
@@ -333,12 +401,15 @@
PositionList[j].PicHeight = ReadBlobLSBShort(image);
PositionList[j].PicSize = ReadBlobLSBLong(image);
PositionList[j].PicOffset = ReadBlobLSBLong(image);
- }
- if (EOFBlob(image))
- {
- MagickFreeMemory(PositionList);
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ if (EOFBlob(image) ||
+ ((magick_off_t) PositionList[j].PicOffset +
+ PositionList[j].PicSize > file_size))
+ {
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
+ MagickFreeMemory(PositionList);
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
}
for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
@@ -351,6 +422,9 @@
image = ExtractTileJPG(image, image_info, PositionList+j, exception);
(void) SetMonitorHandler(previous_handler);
+ if (exception->severity >= ErrorException)
+ break;
+
current_tile++;
if (QuantumTick(current_tile,total_tiles))
if (!MagickMonitorFormatted(current_tile,total_tiles,exception,