Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
ImageMagick.29424
ImageMagick-CVE-2014-9811.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2014-9811.patch of Package ImageMagick.29424
Index: ImageMagick-6.8.8-1/coders/xwd.c =================================================================== --- ImageMagick-6.8.8-1.orig/coders/xwd.c 2016-06-14 12:37:01.544787045 +0200 +++ ImageMagick-6.8.8-1/coders/xwd.c 2016-06-14 12:37:01.576787569 +0200 @@ -223,11 +223,8 @@ static Image *ReadXWDImage(const ImageIn Read in header information. */ count=ReadBlob(image,sz_XWDheader,(unsigned char *) &header); - if (count == 0) + if (count != sz_XWDheader) ThrowReaderException(CorruptImageError,"UnableToReadImageHeader"); - image->columns=header.pixmap_width; - image->rows=header.pixmap_height; - image->depth=8; /* Ensure the header byte-order is most-significant byte first. */ @@ -241,6 +238,25 @@ static Image *ReadXWDImage(const ImageIn ThrowReaderException(CorruptImageError,"FileFormatVersionMismatch"); if (header.header_size < sz_XWDheader) ThrowReaderException(CorruptImageError,"CorruptImage"); + switch (header.visual_class) { + case StaticGray: + case GrayScale: + case StaticColor: + case PseudoColor: + case TrueColor: + case DirectColor: + break; + default: + ThrowReaderException(CorruptImageError,"CorruptImage"); + } + switch (header.pixmap_format) { + case XYBitmap: + case XYPixmap: + case ZPixmap: + break; + default: + ThrowReaderException(CorruptImageError,"CorruptImage"); + } length=(size_t) header.header_size-sz_XWDheader; comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment)); if (comment == (char *) NULL) @@ -272,16 +288,30 @@ static Image *ReadXWDImage(const ImageIn ximage->red_mask=header.red_mask; ximage->green_mask=header.green_mask; ximage->blue_mask=header.blue_mask; - if ((ximage->depth < 0) || (ximage->width < 0) || (ximage->height < 0) || - (ximage->bitmap_pad < 0) || (ximage->bytes_per_line < 0)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if ((ximage->width < 0) || (ximage->height < 0) || (ximage->depth < 0) || + (ximage->format < 0) || (ximage->byte_order < 0) || + (ximage->bitmap_bit_order < 0) || (ximage->bitmap_pad < 0) || + (ximage->bytes_per_line < 0)) + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } if ((ximage->width > 65535) || (ximage->height > 65535)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } if ((ximage->bits_per_pixel > 32) || (ximage->bitmap_unit > 32)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } x_status=XInitImage(ximage); if (x_status == 0) - ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + } /* Read colormap. */ @@ -295,12 +325,18 @@ static Image *ReadXWDImage(const ImageIn length=(size_t) header.ncolors; colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors)); if (colors == (XColor *) NULL) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } for (i=0; i < (ssize_t) header.ncolors; i++) { count=ReadBlob(image,sz_XWDColor,(unsigned char *) &color); if (count == 0) - ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + } colors[i].pixel=color.pixel; colors[i].red=color.red; colors[i].green=color.green; @@ -327,7 +363,10 @@ static Image *ReadXWDImage(const ImageIn */ length=(size_t) ximage->bytes_per_line*ximage->height; if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } if (ximage->format != ZPixmap) { size_t @@ -336,20 +375,31 @@ static Image *ReadXWDImage(const ImageIn extent=length; length*=ximage->depth; if (CheckOverflowException(length,extent,ximage->depth)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } } ximage->data=(char *) AcquireQuantumMemory(length,sizeof(*ximage->data)); if (ximage->data == (char *) NULL) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + { + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } count=ReadBlob(image,length,(unsigned char *) ximage->data); if (count == 0) - ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + { + ximage->data=DestroyString(ximage->data); + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + } /* Convert image to MIFF format. */ image->columns=(size_t) ximage->width; image->rows=(size_t) ximage->height; - if ((colors == (XColor *) NULL) || (ximage->red_mask != 0) || + image->depth=8; + if ((header.ncolors == 0U) || (ximage->red_mask != 0) || (ximage->green_mask != 0) || (ximage->blue_mask != 0)) image->storage_class=DirectClass; else @@ -464,7 +514,11 @@ static Image *ReadXWDImage(const ImageIn Convert X image to PseudoClass packets. */ if (AcquireImageColormap(image,image->colors) == MagickFalse) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + { + ximage->data=DestroyString(ximage->data); + ximage=(XImage *) RelinquishMagickMemory(ximage); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } for (i=0; i < (ssize_t) image->colors; i++) { image->colormap[i].red=ScaleShortToQuantum(colors[i].red); @@ -705,7 +759,7 @@ static MagickBooleanType WriteXWDImage(c (void) WriteBlob(image,1,(const unsigned char *) "\0"); if (image->storage_class == PseudoClass) { - register unsigned int + register ssize_t i; XColor @@ -724,7 +778,7 @@ static MagickBooleanType WriteXWDImage(c ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); for (i=0; i < (ssize_t) image->colors; i++) { - colors[i].pixel=i; + colors[i].pixel=(unsigned long) i; colors[i].red=ScaleQuantumToShort(image->colormap[i].red); colors[i].green=ScaleQuantumToShort(image->colormap[i].green); colors[i].blue=ScaleQuantumToShort(image->colormap[i].blue);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor