File ImageMagick-CVE-2018-16644.patch of Package ImageMagick

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-CVE-2018-16644.patch of Package ImageMagick

Index: ImageMagick-7.0.7-34/coders/pict.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/pict.c	2018-05-20 17:55:43.000000000 +0200
+++ ImageMagick-7.0.7-34/coders/pict.c	2018-09-10 14:06:04.953317800 +0200
@@ -982,6 +982,9 @@ static Image *ReadPICTImage(const ImageI
               Clipping rectangle.
             */
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             if (length != 0x000a)
               {
                 for (i=0; i < (ssize_t) (length-2); i++)
@@ -1030,6 +1033,9 @@ static Image *ReadPICTImage(const ImageI
             if (pattern != 1)
               ThrowPICTException(CorruptImageError,"UnknownPatternType");
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             if (ReadRectangle(image,&frame) == MagickFalse)
               ThrowPICTException(CorruptImageError,"ImproperImageHeader");
             if (ReadPixmap(image,&pixmap) == MagickFalse)
@@ -1041,6 +1047,9 @@ static Image *ReadPICTImage(const ImageI
             (void) ReadBlobMSBLong(image);
             flags=(ssize_t) ReadBlobMSBShort(image);
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             for (i=0; i <= (ssize_t) length; i++)
               (void) ReadBlobMSBLong(image);
             width=(size_t) (frame.bottom-frame.top);
@@ -1101,6 +1110,9 @@ static Image *ReadPICTImage(const ImageI
               Skip polygon or region.
             */
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             for (i=0; i < (ssize_t) (length-2); i++)
               if (ReadBlobByte(image) == EOF)
                 break;
@@ -1223,6 +1235,9 @@ static Image *ReadPICTImage(const ImageI
                   Skip region.
                 */
                 length=ReadBlobMSBShort(image);
+                if (length > GetBlobSize(image))
+                  ThrowPICTException(CorruptImageError,
+                    "InsufficientImageDataInFile");
                 for (i=0; i < (ssize_t) (length-2); i++)
                   if (ReadBlobByte(image) == EOF)
                     break;
@@ -1345,6 +1360,9 @@ static Image *ReadPICTImage(const ImageI
             */
             type=ReadBlobMSBShort(image);
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             if (length == 0)
               break;
             (void) ReadBlobMSBLong(image);
@@ -1454,6 +1472,9 @@ static Image *ReadPICTImage(const ImageI
             ThrowPICTException(FileOpenError,"UnableToCreateTemporaryFile");
           }
         length=ReadBlobMSBLong(image);
+        if (length > GetBlobSize(image))
+          ThrowPICTException(CorruptImageError,
+            "InsufficientImageDataInFile");
         if (length > 154)
           {
             for (i=0; i < 6; i++)
@@ -1504,6 +1525,9 @@ static Image *ReadPICTImage(const ImageI
           Skip reserved.
         */
         length=ReadBlobMSBShort(image);
+        if (length > GetBlobSize(image))
+          ThrowPICTException(CorruptImageError,
+            "InsufficientImageDataInFile");
         for (i=0; i < (ssize_t) length; i++)
           if (ReadBlobByte(image) == EOF)
             break;
@@ -1515,6 +1539,9 @@ static Image *ReadPICTImage(const ImageI
           Skip reserved.
         */
         length=(size_t) ((code >> 7) & 0xff);
+        if (length > GetBlobSize(image))
+          ThrowPICTException(CorruptImageError,
+            "InsufficientImageDataInFile");
         for (i=0; i < (ssize_t) length; i++)
           if (ReadBlobByte(image) == EOF)
             break;
Index: ImageMagick-7.0.7-34/coders/dcm.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/dcm.c	2018-09-10 14:06:04.953317800 +0200
+++ ImageMagick-7.0.7-34/coders/dcm.c	2018-09-10 14:07:33.981774672 +0200
@@ -3834,6 +3834,8 @@ static Image *ReadDCMImage(const ImageIn
         tag=((unsigned int) ReadBlobLSBShort(image) << 16) |
           ReadBlobLSBShort(image);
         length=(size_t) ReadBlobLSBLong(image);
+        if (length > (size_t) GetBlobSize(image))
+          ThrowDCMException(CorruptImageError,"InsufficientImageDataInFile");
         if (tag == 0xFFFEE0DD)
           break; /* sequence delimiter tag */
         if (tag != 0xFFFEE000)

Places

File ImageMagick-CVE-2018-16644.patch of Package ImageMagick

Places