Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12-SP1:GA
ImageMagick.5137
ImageMagick-CVE-2017-9144.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2017-9144.patch of Package ImageMagick.5137
Index: ImageMagick-6.8.8-1/coders/rle.c =================================================================== --- ImageMagick-6.8.8-1.orig/coders/rle.c 2017-05-31 10:07:55.564947172 +0200 +++ ImageMagick-6.8.8-1/coders/rle.c 2017-05-31 10:41:13.947605528 +0200 @@ -138,6 +138,15 @@ static Image *ReadRLEImage(const ImageIn #define ByteDataOp 0x05 #define RunDataOp 0x06 #define EOFOp 0x07 +#define ThrowRLEException(exception,message) \ +{ \ + if (colormap != (unsigned char *) NULL) \ + colormap=(unsigned char *) RelinquishMagickMemory(colormap); \ + if (pixel_info != (MemoryInfo *) NULL) \ + pixel_info=RelinquishVirtualMemory(pixel_info); \ + ThrowReaderException((exception),(message)); \ +} + char magick[12]; @@ -215,6 +224,8 @@ static Image *ReadRLEImage(const ImageIn /* Determine if this a RLE file. */ + colormap=(unsigned char *) NULL; + pixel_info=(MemoryInfo *) NULL; count=ReadBlob(image,2,(unsigned char *) magick); if ((count == 0) || (memcmp(magick,"\122\314",2) != 0)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); @@ -235,6 +246,8 @@ static Image *ReadRLEImage(const ImageIn map_length=(unsigned char) ReadBlobByte(image); if (map_length >= 22) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); one=1; map_length=one << map_length; if ((number_planes == 0) || (number_planes == 2) || (bits_per_pixel != 8) || @@ -258,6 +271,8 @@ static Image *ReadRLEImage(const ImageIn for (i=0; i < (ssize_t) number_planes; i++) *p++=(unsigned char) ReadBlobByte(image); } + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if ((number_planes & 0x01) == 0) (void) ReadBlobByte(image); colormap=(unsigned char *) NULL; @@ -273,8 +288,12 @@ static Image *ReadRLEImage(const ImageIn p=colormap; for (i=0; i < (ssize_t) number_colormaps; i++) for (x=0; x < (ssize_t) map_length; x++) + { *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum( ReadBlobLSBShort(image))); + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } } if ((flags & 0x08) != 0) { @@ -301,6 +320,8 @@ static Image *ReadRLEImage(const ImageIn (void) ReadBlobByte(image); } } + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; @@ -351,6 +372,8 @@ static Image *ReadRLEImage(const ImageIn x=0; y=0; opcode=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); do { switch (opcode & 0x3f) @@ -358,8 +381,14 @@ static Image *ReadRLEImage(const ImageIn case SkipLinesOp: { operand=ReadBlobByte(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) + { operand=(int) ReadBlobLSBShort(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } x=0; y+=operand; break; @@ -367,6 +396,8 @@ static Image *ReadRLEImage(const ImageIn case SetColorOp: { operand=ReadBlobByte(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); plane=(unsigned char) operand; if (plane == 255) plane=(unsigned char) (number_planes-1); @@ -376,16 +407,28 @@ static Image *ReadRLEImage(const ImageIn case SkipPixelsOp: { operand=ReadBlobByte(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) + { operand=(int) ReadBlobLSBShort(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } x+=operand; break; } case ByteDataOp: { operand=ReadBlobByte(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) + { operand=(int) ReadBlobLSBShort(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; operand++; @@ -414,8 +457,14 @@ static Image *ReadRLEImage(const ImageIn case RunDataOp: { operand=ReadBlobByte(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) + { operand=(int) ReadBlobLSBShort(image); + if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } pixel=(unsigned char) ReadBlobByte(image); (void) ReadBlobByte(image); operand++; @@ -444,6 +493,8 @@ static Image *ReadRLEImage(const ImageIn break; } opcode=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF)); if (number_colormaps != 0) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
