Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
ImageMagick.6676
ImageMagick-CVE-2017-16669,17682.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2017-16669,17682.patch of Package ImageMagick.6676
+++ a/coders/wpg.c Index: ImageMagick-6.8.8-1/coders/wpg.c =================================================================== --- ImageMagick-6.8.8-1.orig/coders/wpg.c 2017-11-23 14:08:13.828650667 +0100 +++ ImageMagick-6.8.8-1/coders/wpg.c 2017-11-24 11:15:52.766165166 +0100 @@ -264,7 +264,8 @@ static void Rd_WP_DWORD(Image *image,siz return; } -static void InsertRow(unsigned char *p,ssize_t y,Image *image, int bpp) +static MagickBooleanType InsertRow(unsigned char *p,ssize_t y,Image *image, + int bpp) { ExceptionInfo *exception; @@ -285,14 +286,14 @@ static void InsertRow(unsigned char *p,s *indexes; exception=(&image->exception); + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); + if (q == (PixelPacket *) NULL) + return(MagickFalse); + indexes=GetAuthenticIndexQueue(image); switch (bpp) { case 1: /* Convert bitmap scanline. */ { - q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); - if (q == (PixelPacket *) NULL) - break; - indexes=GetAuthenticIndexQueue(image); for (x=0; x < ((ssize_t) image->columns-7); x+=8) { for (bit=0; bit < 8; bit++) @@ -315,16 +316,13 @@ static void InsertRow(unsigned char *p,s } p++; } - if (!SyncAuthenticPixels(image,exception)) - break; break; } case 2: /* Convert PseudoColor scanline. */ { - q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); - if (q == (PixelPacket *) NULL) - break; - indexes=GetAuthenticIndexQueue(image); + if ((image->storage_class != PseudoClass) || + (indexes == (IndexPacket *) NULL)) + return MagickFalse; for (x=0; x < ((ssize_t) image->columns-3); x+=4) { index=ConstrainColormapIndex(image,(*p >> 6) & 0x3); @@ -342,8 +340,8 @@ static void InsertRow(unsigned char *p,s index=ConstrainColormapIndex(image,(*p) & 0x3); SetPixelIndex(indexes+x+1,index); SetPixelRGBO(q,image->colormap+(ssize_t) index); - p++; q++; + p++; } if ((image->columns % 4) != 0) { @@ -367,17 +365,11 @@ static void InsertRow(unsigned char *p,s } p++; } - if (SyncAuthenticPixels(image,exception) == MagickFalse) - break; break; } case 4: /* Convert PseudoColor scanline. */ { - q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); - if (q == (PixelPacket *) NULL) - break; - indexes=GetAuthenticIndexQueue(image); for (x=0; x < ((ssize_t) image->columns-1); x+=2) { index=ConstrainColormapIndex(image,(*p >> 4) & 0x0f); @@ -398,16 +390,10 @@ static void InsertRow(unsigned char *p,s p++; q++; } - if (SyncAuthenticPixels(image,exception) == MagickFalse) - break; break; } case 8: /* Convert PseudoColor scanline. */ { - q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); - if (q == (PixelPacket *) NULL) break; - indexes=GetAuthenticIndexQueue(image); - for (x=0; x < (ssize_t) image->columns; x++) { index=ConstrainColormapIndex(image,*p); @@ -416,15 +402,10 @@ static void InsertRow(unsigned char *p,s p++; q++; } - if (SyncAuthenticPixels(image,exception) == MagickFalse) - break; } break; case 24: /* Convert DirectColor scanline. */ - q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); - if (q == (PixelPacket *) NULL) - break; for (x=0; x < (ssize_t) image->columns; x++) { SetPixelRed(q,ScaleCharToQuantum(*p++)); @@ -432,10 +413,11 @@ static void InsertRow(unsigned char *p,s SetPixelBlue(q,ScaleCharToQuantum(*p++)); q++; } - if (!SyncAuthenticPixels(image,exception)) - break; break; } + if (!SyncAuthenticPixels(image,exception)) + return(MagickFalse); + return(MagickTrue); } @@ -446,10 +428,10 @@ static void InsertRow(unsigned char *p,s x++; \ if((ssize_t) x>=ldblk) \ { \ - InsertRow(BImgBuff,(ssize_t) y,image,bpp); \ + if (InsertRow(BImgBuff,(ssize_t) y,image,bpp) != MagickFalse) \ + y++; \ x=0; \ - y++; \ - } \ + } \ } /* WPG1 raster reader. */ static int UnpackWPGRaster(Image *image,int bpp) @@ -476,15 +458,14 @@ static int UnpackWPGRaster(Image *image, if(BImgBuff==NULL) return(-2); while(y<(ssize_t) image->rows) - { - i = ReadBlobByte(image); - if(i==EOF) - { - RelinquishMagickMemory(BImgBuff); - return(-5); - } - bbuf = i; + { + int + c; + c=ReadBlobByte(image); + if (c == EOF) + break; + bbuf=(unsigned char) c; RunCount=bbuf & 0x7F; if(bbuf & 0x80) { @@ -494,7 +475,10 @@ static int UnpackWPGRaster(Image *image, for(i=0;i<(int) RunCount;i++) InsertByte(bbuf); } else { /* read next byte as RunCount; repeat 0xFF runcount* */ - RunCount=ReadBlobByte(image); + c=ReadBlobByte(image); + if (c < 0) + break; + RunCount=(unsigned char) c; for(i=0;i<(int) RunCount;i++) InsertByte(0xFF); } } @@ -508,7 +492,10 @@ static int UnpackWPGRaster(Image *image, } } else { /* repeat previous line runcount* */ - RunCount=ReadBlobByte(image); + c=ReadBlobByte(image); + if (c < 0) + break; + RunCount=(unsigned char) c; if(x) { /* attempt to duplicate row from x position: */ /* I do not know what to do here */ BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); @@ -524,13 +511,19 @@ static int UnpackWPGRaster(Image *image, BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); return(-4); } - InsertRow(BImgBuff,y-1,image,bpp); + if (InsertRow(BImgBuff,y-1,image,bpp) == MagickFalse) + { + BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); + return(-5); + } } } } + if (EOFBlob(image) != MagickFalse) + break; } BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); - return(0); + return(y < (ssize_t) image->rows ? -5 : 0); } @@ -546,34 +539,34 @@ RestoreMSCWarning \ x++; \ if((ssize_t) x >= ldblk) \ { \ - InsertRow(BImgBuff,(ssize_t) y,image,bpp); \ + if (InsertRow(BImgBuff,(ssize_t) y,image,bpp) != MagickFalse) \ + y++; \ x=0; \ - y++; \ - } \ + } \ } /* WPG2 raster reader. */ static int UnpackWPG2Raster(Image *image,int bpp) { + int XorMe = 0; + + int + RunCount; + size_t x, y; ssize_t + i, ldblk; - int XorMe = 0; - unsigned int SampleSize=1; unsigned char bbuf, *BImgBuff, - RunCount, - SampleBuffer[8]; - - unsigned int - i; + SampleBuffer[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; x=0; y=0; @@ -592,9 +585,15 @@ static int UnpackWPG2Raster(Image *image case 0x7D: SampleSize=ReadBlobByte(image); /* DSZ */ if(SampleSize>8) - return(-2); + { + BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); + return(-2); + } if(SampleSize<1) - return(-2); + { + BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); + return(-2); + } break; case 0x7E: (void) FormatLocaleFile(stderr, @@ -603,6 +602,8 @@ static int UnpackWPG2Raster(Image *image break; case 0x7F: RunCount=ReadBlobByte(image); /* BLK */ + if (RunCount < 0) + break; for(i=0; i < SampleSize*(RunCount+1); i++) { InsertByte6(0); @@ -610,31 +611,37 @@ static int UnpackWPG2Raster(Image *image break; case 0xFD: RunCount=ReadBlobByte(image); /* EXT */ + if (RunCount < 0) + break; for(i=0; i<= RunCount;i++) for(bbuf=0; bbuf < SampleSize; bbuf++) InsertByte6(SampleBuffer[bbuf]); break; case 0xFE: RunCount=ReadBlobByte(image); /* RST */ + if (RunCount < 0) + break; if(x!=0) { (void) FormatLocaleFile(stderr, "\nUnsupported WPG2 unaligned token RST x=%.20g, please report!\n" ,(double) x); + BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); return(-3); } { /* duplicate the previous row RunCount x */ for(i=0;i<=RunCount;i++) { - InsertRow(BImgBuff,(ssize_t) (image->rows >= y ? y : image->rows-1), - image,bpp); - y++; + if (InsertRow(BImgBuff,(ssize_t) (image->rows > y ? y : image->rows-1),image,bpp) != MagickFalse) + y++; } } break; case 0xFF: RunCount=ReadBlobByte(image); /* WHT */ + if (RunCount < 0) + break; for (i=0; i < SampleSize*(RunCount+1); i++) { InsertByte6(0xFF); @@ -659,6 +666,8 @@ static int UnpackWPG2Raster(Image *image } } } + if (EOFBlob(image) != MagickFalse) + break; } BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); return(0); @@ -680,13 +689,13 @@ unsigned Flags; (*CTM)[2][2]=1; Flags=ReadBlobLSBShort(image); - if(Flags & LCK) x=ReadBlobLSBLong(image); /*Edit lock*/ + if(Flags & LCK) (void) ReadBlobLSBLong(image); /*Edit lock*/ if(Flags & OID) { if(Precision==0) - {x=ReadBlobLSBShort(image);} /*ObjectID*/ + {(void) ReadBlobLSBShort(image);} /*ObjectID*/ else - {x=ReadBlobLSBLong(image);} /*ObjectID (Double precision)*/ + {(void) ReadBlobLSBLong(image);} /*ObjectID (Double precision)*/ } if(Flags & ROT) { @@ -740,6 +749,9 @@ static Image *ExtractPostscript(Image *i FILE *ps_file; + int + c; + ImageInfo *clone_info; @@ -756,7 +768,7 @@ static Image *ExtractPostscript(Image *i clone_info->length=0; /* Obtain temporary file */ - AcquireUniqueFilename(postscript_file); + (void) AcquireUniqueFilename(postscript_file); ps_file=fopen_utf8(postscript_file,"wb"); if (ps_file == (FILE *) NULL) goto FINISH; @@ -766,10 +778,13 @@ static Image *ExtractPostscript(Image *i (void) ReadBlob(image, 2*MaxTextExtent, magick); (void) SeekBlob(image,PS_Offset,SEEK_SET); - while(PS_Size-- > 0) - { - (void) fputc(ReadBlobByte(image),ps_file); - } + while (PS_Size-- > 0) + { + c=ReadBlobByte(image); + if (c == EOF) + break; + (void) fputc(c,ps_file); + } (void) fclose(ps_file); /* Detect file format - Check magic.mgk configuration file. */ @@ -793,9 +808,9 @@ static Image *ExtractPostscript(Image *i Replace current image with new image while copying base image attributes. */ - (void) CopyMagickMemory(image2->filename,image->filename,MaxTextExtent); - (void) CopyMagickMemory(image2->magick_filename,image->magick_filename,MaxTextExtent); - (void) CopyMagickMemory(image2->magick,image->magick,MaxTextExtent); + (void) CopyMagickString(image2->filename,image->filename,MaxTextExtent); + (void) CopyMagickString(image2->magick_filename,image->magick_filename,MaxTextExtent); + (void) CopyMagickString(image2->magick,image->magick,MaxTextExtent); image2->depth=image->depth; DestroyBlob(image2); image2->blob=ReferenceBlob(image->blob); @@ -881,7 +896,7 @@ static Image *ReadWPGImage(const ImageIn typedef struct { unsigned int Width; - unsigned int Heigth; + unsigned int Height; unsigned int Depth; unsigned int HorzRes; unsigned int VertRes; @@ -890,7 +905,7 @@ static Image *ReadWPGImage(const ImageIn typedef struct { unsigned int Width; - unsigned int Heigth; + unsigned int Height; unsigned char Depth; unsigned char Compression; } WPG2BitmapType1; @@ -903,7 +918,7 @@ static Image *ReadWPGImage(const ImageIn unsigned int UpRightX; unsigned int UpRightY; unsigned int Width; - unsigned int Heigth; + unsigned int Height; unsigned int Depth; unsigned int HorzRes; unsigned int VertRes; @@ -1006,6 +1021,8 @@ static Image *ReadWPGImage(const ImageIn image->colors = 0; bpp=0; BitmapHeader2.RotAngle=0; + Rec2.RecordLength = 0; + Rec.RecordLength = 0; switch(Header.FileType) { @@ -1031,8 +1048,8 @@ static Image *ReadWPGImage(const ImageIn { case 0x0B: /* bitmap type 1 */ BitmapHeader1.Width=ReadBlobLSBShort(image); - BitmapHeader1.Heigth=ReadBlobLSBShort(image); - if ((BitmapHeader1.Width == 0) || (BitmapHeader1.Heigth == 0)) + BitmapHeader1.Height=ReadBlobLSBShort(image); + if ((BitmapHeader1.Width == 0) || (BitmapHeader1.Height == 0)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); BitmapHeader1.Depth=ReadBlobLSBShort(image); BitmapHeader1.HorzRes=ReadBlobLSBShort(image); @@ -1045,14 +1062,22 @@ static Image *ReadWPGImage(const ImageIn image->y_resolution=BitmapHeader1.VertRes/470.0; } image->columns=BitmapHeader1.Width; - image->rows=BitmapHeader1.Heigth; + image->rows=BitmapHeader1.Height; bpp=BitmapHeader1.Depth; + if (bpp > 24) + ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); goto UnpackRaster; case 0x0E: /*Color palette */ WPG_Palette.StartIndex=ReadBlobLSBShort(image); WPG_Palette.NumOfEntries=ReadBlobLSBShort(image); + if (WPG_Palette.NumOfEntries == 0) + ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); + + if (WPG_Palette.NumOfEntries > MaxMap+1) + ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); + if ((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3) ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); @@ -1087,8 +1112,8 @@ static Image *ReadWPGImage(const ImageIn BitmapHeader2.UpRightX=ReadBlobLSBShort(image); BitmapHeader2.UpRightY=ReadBlobLSBShort(image); BitmapHeader2.Width=ReadBlobLSBShort(image); - BitmapHeader2.Heigth=ReadBlobLSBShort(image); - if ((BitmapHeader2.Width == 0) || (BitmapHeader2.Heigth == 0)) + BitmapHeader2.Height=ReadBlobLSBShort(image); + if ((BitmapHeader2.Width == 0) || (BitmapHeader2.Height == 0)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); BitmapHeader2.Depth=ReadBlobLSBShort(image); BitmapHeader2.HorzRes=ReadBlobLSBShort(image); @@ -1107,14 +1132,16 @@ static Image *ReadWPGImage(const ImageIn image->y_resolution=BitmapHeader2.VertRes/470.0; } image->columns=BitmapHeader2.Width; - image->rows=BitmapHeader2.Heigth; + image->rows=BitmapHeader2.Height; bpp=BitmapHeader2.Depth; + if (bpp > 24) + ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); UnpackRaster: status=SetImageExtent(image,image->columns,image->rows); if (status == MagickFalse) break; - if ((image->colors == 0) && (bpp <= 16)) + if ((image->storage_class != PseudoClass) && (bpp != 24)) { image->colors=one << bpp; if (!AcquireImageColormap(image,image->colors)) @@ -1188,8 +1215,7 @@ static Image *ReadWPGImage(const ImageIn ReplaceImageInList(&image,flip_image); } } - - /* rotate command */ + /* rotate command */ if(BitmapHeader2.RotAngle & 0x0FFF) { Image @@ -1256,6 +1282,19 @@ static Image *ReadWPGImage(const ImageIn case 0x0C: /* Color palette */ WPG_Palette.StartIndex=ReadBlobLSBShort(image); WPG_Palette.NumOfEntries=ReadBlobLSBShort(image); + /* Sanity check for amount of palette entries. */ + if (WPG_Palette.NumOfEntries == 0) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + + if (WPG_Palette.NumOfEntries > MaxMap+1) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + + if ( (WPG_Palette.StartIndex > WPG_Palette.NumOfEntries) || + (((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > + ((Rec2.RecordLength-2-2) / 3))) ) + ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); + + if ((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3) ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); @@ -1277,8 +1316,8 @@ static Image *ReadWPGImage(const ImageIn break; case 0x0E: Bitmap2Header1.Width=ReadBlobLSBShort(image); - Bitmap2Header1.Heigth=ReadBlobLSBShort(image); - if ((Bitmap2Header1.Width == 0) || (Bitmap2Header1.Heigth == 0)) + Bitmap2Header1.Height=ReadBlobLSBShort(image); + if ((Bitmap2Header1.Width == 0) || (Bitmap2Header1.Height == 0)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); Bitmap2Header1.Depth=ReadBlobByte(image); Bitmap2Header1.Compression=ReadBlobByte(image); @@ -1306,13 +1345,11 @@ static Image *ReadWPGImage(const ImageIn continue; /*Ignore raster with unknown depth*/ } image->columns=Bitmap2Header1.Width; - image->rows=Bitmap2Header1.Heigth; - + image->rows=Bitmap2Header1.Height; status=SetImageExtent(image,image->columns,image->rows); if (status == MagickFalse) break; - - if ((image->storage_class != PseudoClass) && (bpp != 24)) + if ((image->colors == 0) && (bpp != 24)) { size_t one; @@ -1342,14 +1379,19 @@ static Image *ReadWPGImage(const ImageIn if (BImgBuff == (unsigned char *) NULL) goto NoMemory; - for(i=0; i< (ssize_t) image->rows; i++) - { - (void) ReadBlob(image,ldblk,BImgBuff); - InsertRow(BImgBuff,i,image,bpp); - } + for (i=0; i< (ssize_t) image->rows; i++) + { + (void) ReadBlob(image,ldblk,BImgBuff); + if (InsertRow(BImgBuff,i,image,bpp) == MagickFalse) + { + if(BImgBuff) + BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); + goto DecompressionFailed; + } + } if(BImgBuff) - BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff);; + BImgBuff=(unsigned char *) RelinquishMagickMemory(BImgBuff); break; } case 1: /*RLE for WPG2 */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor