Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
ImageMagick.30956
ImageMagick-CVE-2018-16644.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2018-16644.patch of Package ImageMagick.30956
Index: ImageMagick-6.8.8-1/coders/pict.c =================================================================== --- ImageMagick-6.8.8-1.orig/coders/pict.c 2019-02-14 15:19:25.847694428 +0100 +++ ImageMagick-6.8.8-1/coders/pict.c 2019-02-14 15:19:27.099700650 +0100 @@ -802,12 +802,25 @@ static MagickBooleanType ReadRectangle(I static Image *ReadPICTImage(const ImageInfo *image_info, ExceptionInfo *exception) { +#define ThrowPICTException(exception,message) \ +{ \ + if (tile_image != (Image *) NULL) \ + tile_image=DestroyImage(tile_image); \ + if (read_info != (ImageInfo *) NULL) \ + read_info=DestroyImageInfo(read_info); \ + ThrowReaderException((exception),(message)); \ +} char geometry[MaxTextExtent], header_ole[4]; Image - *image; + *image, + *tile_image; + + + ImageInfo + *read_info; IndexPacket index; @@ -872,6 +885,8 @@ static Image *ReadPICTImage(const ImageI /* Read PICT header. */ + read_info=(ImageInfo *) NULL; + tile_image=(Image *) NULL; pixmap.bits_per_pixel=0; pixmap.component_count=0; /* @@ -946,6 +961,9 @@ static Image *ReadPICTImage(const ImageI Clipping rectangle. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (length != 0x000a) { for (i=0; i < (ssize_t) (length-2); i++) @@ -987,6 +1005,9 @@ static Image *ReadPICTImage(const ImageI if (pattern != 1) ThrowReaderException(CorruptImageError,"UnknownPatternType"); length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (ReadRectangle(image,&frame) == MagickFalse) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if (ReadPixmap(image,&pixmap) == MagickFalse) @@ -998,6 +1019,9 @@ static Image *ReadPICTImage(const ImageI (void) ReadBlobMSBLong(image); flags=1L*ReadBlobMSBShort(image); length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i <= (ssize_t) length; i++) (void) ReadBlobMSBLong(image); width=1UL*(frame.bottom-frame.top); @@ -1049,6 +1073,9 @@ static Image *ReadPICTImage(const ImageI Skip polygon or region. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) (length-2); i++) (void) ReadBlobByte(image); break; @@ -1076,9 +1103,6 @@ static Image *ReadPICTImage(const ImageI unsigned char *pixels; - Image - *tile_image; - /* Pixmap clipped by a rectangle. */ @@ -1182,6 +1206,9 @@ static Image *ReadPICTImage(const ImageI Skip region. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) (length-2); i++) (void) ReadBlobByte(image); } @@ -1310,6 +1337,9 @@ static Image *ReadPICTImage(const ImageI */ type=ReadBlobMSBShort(image); length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (length == 0) break; (void) ReadBlobMSBLong(image); @@ -1391,12 +1421,6 @@ static Image *ReadPICTImage(const ImageI FILE *file; - Image - *tile_image; - - ImageInfo - *read_info; - int unique_file; @@ -1421,6 +1445,9 @@ static Image *ReadPICTImage(const ImageI return((Image *) NULL); } length=ReadBlobMSBLong(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < 6; i++) (void) ReadBlobMSBLong(image); if (ReadRectangle(image,&frame) == MagickFalse) @@ -1464,6 +1491,9 @@ static Image *ReadPICTImage(const ImageI Skip reserved. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) length; i++) (void) ReadBlobByte(image); continue; @@ -1474,6 +1504,9 @@ static Image *ReadPICTImage(const ImageI Skip reserved. */ length=(size_t) ((code >> 7) & 0xff); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) length; i++) (void) ReadBlobByte(image); continue; Index: ImageMagick-6.8.8-1/coders/dcm.c =================================================================== --- ImageMagick-6.8.8-1.orig/coders/dcm.c 2019-02-14 15:19:26.063695502 +0100 +++ ImageMagick-6.8.8-1/coders/dcm.c 2019-02-14 15:21:39.600333230 +0100 @@ -3599,6 +3599,8 @@ static Image *ReadDCMImage(const ImageIn tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image); length=(size_t) ReadBlobLSBLong(image); + if (length > (size_t) GetBlobSize(image)) + ThrowDCMReaderException(CorruptImageError,"InsufficientImageDataInFile"); if (tag == 0xFFFEE0DD) break; /* sequence delimiter tag */ if (tag != 0xFFFEE000)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor