Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
ImageMagick.29424
ImageMagick-CVE-2015-8958,CVE-2016-7518.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2015-8958,CVE-2016-7518.patch of Package ImageMagick.29424
From a09637681647e141a130b8a4e24100ebe81646ab Mon Sep 17 00:00:00 2001 From: cristy <urban-warrior@git.imagemagick.org> Date: Sat, 10 Jan 2015 14:09:41 +0000 Subject: [PATCH] http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857 --- coders/sun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: ImageMagick-6.8.9-8/coders/sun.c =================================================================== --- ImageMagick-6.8.9-8.orig/coders/sun.c 2016-10-04 11:57:59.758548080 +0200 +++ ImageMagick-6.8.9-8/coders/sun.c 2016-10-04 11:58:56.655560810 +0200 @@ -17,7 +17,7 @@ % July 1992 % % % % % -% Copyright 1999-2014 ImageMagick Studio LLC, a non-profit organization % +% Copyright 1999-2016 ImageMagick Studio LLC, a non-profit organization % % dedicated to making software imaging solutions freely available. % % % % You may not use this file except in compliance with the License. You may % @@ -47,6 +47,7 @@ #include "magick/color.h" #include "magick/color-private.h" #include "magick/colormap.h" +#include "magick/colormap-private.h" #include "magick/colorspace.h" #include "magick/colorspace-private.h" #include "magick/exception.h" @@ -56,6 +57,7 @@ #include "magick/list.h" #include "magick/magick.h" #include "magick/memory_.h" +#include "magick/memory-private.h" #include "magick/monitor.h" #include "magick/monitor-private.h" #include "magick/pixel-accessor.h" @@ -76,6 +78,24 @@ static inline ssize_t MagickMax(const ss static MagickBooleanType WriteSUNImage(const ImageInfo *,Image *); + +static MagickBooleanType HeapOverflowSanityCheck(const size_t count, + const size_t quantum) +{ + size_t + size; + + size=count*quantum; + if ((count == 0) || (quantum != (size/count))) + { + errno=ENOMEM; + return(MagickTrue); + } + return(MagickFalse); +} + +static MagickBooleanType + WriteSUNImage(const ImageInfo *,Image *); /* %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -145,10 +165,9 @@ static MagickBooleanType IsSUN(const uns % */ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, - const size_t length,unsigned char *pixels,size_t maxpixels) + const size_t length,unsigned char *pixels,size_t extent) { register const unsigned char - *l, *p; register unsigned char @@ -165,8 +184,8 @@ static MagickBooleanType DecodeImage(con assert(pixels != (unsigned char *) NULL); p=compressed_pixels; q=pixels; - l=q+maxpixels; - while (((size_t) (p-compressed_pixels) < length) && (q < l)) + while (((size_t) (p-compressed_pixels) < length) && + ((size_t) (q-pixels) < extent)) { byte=(*p++); if (byte != 128U) @@ -174,19 +193,25 @@ static MagickBooleanType DecodeImage(con else { /* - Runlength-encoded packet: <count><byte> + Runlength-encoded packet: <count><byte>. */ - count=(ssize_t) (*p++); + if (((size_t) (p-compressed_pixels) >= length)) + break; + count=(*p++); if (count > 0) - byte=(*p++); - while ((count >= 0) && (q < l)) + { + if (((size_t) (p-compressed_pixels) >= length)) + break; + byte=(*p++); + } + while ((count >= 0) && ((size_t) (q-pixels) < extent)) { *q++=byte; count--; } } } - return(MagickTrue); + return(((size_t) (q-pixels) == extent) ? MagickTrue : MagickFalse); } /* @@ -263,8 +288,10 @@ static Image *ReadSUNImage(const ImageIn *p; size_t + bytes_per_line, extent, - length; + height, + pixels_length; ssize_t count, @@ -277,9 +304,6 @@ static Image *ReadSUNImage(const ImageIn *sun_data, *sun_pixels; - unsigned int - bytes_per_line; - /* Open image file. */ @@ -319,13 +343,14 @@ static Image *ReadSUNImage(const ImageIn extent=sun_info.height*sun_info.width; if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); - if ((sun_info.depth == 0) || (sun_info.depth > 32)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) && (sun_info.type != RT_FORMAT_RGB)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if ((sun_info.maptype == RMT_NONE) && (sun_info.maplength != 0)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if ((sun_info.depth != 1) && (sun_info.depth != 8) && + (sun_info.depth != 24) && (sun_info.depth != 32)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if ((sun_info.maptype != RMT_NONE) && (sun_info.maptype != RMT_EQUAL_RGB) && (sun_info.maptype != RMT_RAW)) ThrowReaderException(CoderError,"ColormapTypeNotSupported"); @@ -338,7 +363,6 @@ static Image *ReadSUNImage(const ImageIn size_t one; - image->storage_class=PseudoClass; image->colors=sun_info.maplength; one=1; if (sun_info.maptype == RMT_NONE) @@ -411,48 +435,77 @@ static Image *ReadSUNImage(const ImageIn (void) CloseBlob(image); return(GetFirstImageInList(image)); } - if ((sun_info.length*sizeof(*sun_data))/sizeof(*sun_data) != - sun_info.length || !sun_info.length) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - number_pixels=(MagickSizeType) image->columns*image->rows; - if ((sun_info.type != RT_ENCODED) && (sun_info.depth >= 8) && - ((number_pixels*((sun_info.depth+7)/8)) > sun_info.length)) + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } + if (sun_info.length == 0) + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + number_pixels=(MagickSizeType) (image->columns*image->rows); + if ((sun_info.type != RT_ENCODED) && + ((number_pixels*sun_info.depth) > (8UL*sun_info.length))) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (HeapOverflowSanityCheck(sun_info.width,sun_info.depth) != MagickFalse) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); bytes_per_line=sun_info.width*sun_info.depth; - sun_data=(unsigned char *) AcquireQuantumMemory((size_t) MagickMax( - sun_info.length,bytes_per_line*sun_info.width),sizeof(*sun_data)); + sun_data=(unsigned char *) AcquireQuantumMemory(sun_info.length, + sizeof(*sun_data)); if (sun_data == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); count=(ssize_t) ReadBlob(image,sun_info.length,sun_data); if (count != (ssize_t) sun_info.length) - ThrowReaderException(CorruptImageError,"UnableToReadImageData"); - sun_pixels=sun_data; - bytes_per_line=0; - if (sun_info.type == RT_ENCODED) { - size_t - height; - - /* - Read run-length encoded raster pixels. - */ - height=sun_info.height; - if ((height == 0) || (sun_info.width == 0) || (sun_info.depth == 0) || - ((bytes_per_line/sun_info.depth) != sun_info.width)) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - bytes_per_line+=15; - bytes_per_line<<=1; - if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15)) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - bytes_per_line>>=4; - sun_pixels=(unsigned char *) AcquireQuantumMemory(height, - bytes_per_line*sizeof(*sun_pixels)); - if (sun_pixels == (unsigned char *) NULL) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - (void) DecodeImage(sun_data,sun_info.length,sun_pixels,bytes_per_line* - height); sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } + height=sun_info.height; + if ((height == 0) || (sun_info.width == 0) || (sun_info.depth == 0) || + ((bytes_per_line/sun_info.depth) != sun_info.width)) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } + bytes_per_line+=15; + bytes_per_line<<=1; + if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15)) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } + bytes_per_line>>=4; + if (HeapOverflowSanityCheck(height,bytes_per_line) != MagickFalse) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); } + pixels_length=height*(MagickMax(image->columns,bytes_per_line)+1); + sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length, + sizeof(*sun_pixels)); + if (sun_pixels == (unsigned char *) NULL) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } + ResetMagickMemory(sun_pixels,0,pixels_length*sizeof(*sun_pixels)); + if (sun_info.type == RT_ENCODED) + { + status=DecodeImage(sun_data,sun_info.length,sun_pixels,pixels_length); + if (status == MagickFalse) + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } + else + { + if (sun_info.length > pixels_length) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + sun_pixels=(unsigned char *) RelinquishMagickMemory(sun_pixels); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } + (void) CopyMagickMemory(sun_pixels,sun_data,sun_info.length); + } + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); /* Convert SUN raster image to pixel packets. */ @@ -491,11 +544,6 @@ static Image *ReadSUNImage(const ImageIn else if (image->storage_class == PseudoClass) { - length=image->rows*(image->columns+image->columns % 2); - if (((sun_info.type == RT_ENCODED) && - (length > (bytes_per_line*image->rows))) || - ((sun_info.type != RT_ENCODED) && (length > sun_info.length))) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); for (y=0; y < (ssize_t) image->rows; y++) { q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); @@ -503,7 +551,10 @@ static Image *ReadSUNImage(const ImageIn break; indexes=GetAuthenticIndexQueue(image); for (x=0; x < (ssize_t) image->columns; x++) - SetPixelIndex(indexes+x,*p++); + { + SetPixelIndex(indexes+x,ConstrainColormapIndex(image,*p)); + p++; + } if ((image->columns % 2) != 0) p++; if (SyncAuthenticPixels(image,exception) == MagickFalse) @@ -525,12 +576,6 @@ static Image *ReadSUNImage(const ImageIn bytes_per_pixel=3; if (image->matte != MagickFalse) bytes_per_pixel++; - length=image->rows*((bytes_per_line*image->columns)+ - image->columns % 2); - if (((sun_info.type == RT_ENCODED) && - (length > (bytes_per_line*image->rows))) || - ((sun_info.type != RT_ENCODED) && (length > sun_info.length))) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); for (y=0; y < (ssize_t) image->rows; y++) { q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor