File ImageMagick-CVE-2015-8958,CVE-2016-7518.patch of Package ImageMagick.9293

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-CVE-2015-8958,CVE-2016-7518.patch of Package ImageMagick.9293

From a09637681647e141a130b8a4e24100ebe81646ab Mon Sep 17 00:00:00 2001
From: cristy <urban-warrior@git.imagemagick.org>
Date: Sat, 10 Jan 2015 14:09:41 +0000
Subject: [PATCH] 
 http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857

---
 coders/sun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: ImageMagick-6.8.9-8/coders/sun.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/sun.c	2016-10-04 11:57:59.758548080 +0200
+++ ImageMagick-6.8.9-8/coders/sun.c	2016-10-04 11:58:56.655560810 +0200
@@ -17,7 +17,7 @@
 %                                 July 1992                                   %
 %                                                                             %
 %                                                                             %
-%  Copyright 1999-2014 ImageMagick Studio LLC, a non-profit organization      %
+%  Copyright 1999-2016 ImageMagick Studio LLC, a non-profit organization      %
 %  dedicated to making software imaging solutions freely available.           %
 %                                                                             %
 %  You may not use this file except in compliance with the License.  You may  %
@@ -47,6 +47,7 @@
 #include "magick/color.h"
 #include "magick/color-private.h"
 #include "magick/colormap.h"
+#include "magick/colormap-private.h"
 #include "magick/colorspace.h"
 #include "magick/colorspace-private.h"
 #include "magick/exception.h"
@@ -56,6 +57,7 @@
 #include "magick/list.h"
 #include "magick/magick.h"
 #include "magick/memory_.h"
+#include "magick/memory-private.h"
 #include "magick/monitor.h"
 #include "magick/monitor-private.h"
 #include "magick/pixel-accessor.h"
@@ -76,6 +78,24 @@ static inline ssize_t MagickMax(const ss
 
 static MagickBooleanType
   WriteSUNImage(const ImageInfo *,Image *);
+
+static MagickBooleanType HeapOverflowSanityCheck(const size_t count,
+  const size_t quantum)
+{
+  size_t
+    size;
+
+  size=count*quantum;
+  if ((count == 0) || (quantum != (size/count)))
+    {
+      errno=ENOMEM;
+      return(MagickTrue);
+    }
+  return(MagickFalse);
+}
+
+static MagickBooleanType
+  WriteSUNImage(const ImageInfo *,Image *);
 
 /*
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -145,10 +165,9 @@ static MagickBooleanType IsSUN(const uns
 %
 */
 static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
-  const size_t length,unsigned char *pixels,size_t maxpixels)
+  const size_t length,unsigned char *pixels,size_t extent)
 {
   register const unsigned char
-    *l,
     *p;
 
   register unsigned char
@@ -165,8 +184,8 @@ static MagickBooleanType DecodeImage(con
   assert(pixels != (unsigned char *) NULL);
   p=compressed_pixels;
   q=pixels;
-  l=q+maxpixels;
-  while (((size_t) (p-compressed_pixels) < length) && (q < l))
+  while (((size_t) (p-compressed_pixels) < length) &&
+         ((size_t) (q-pixels) < extent))
   {
     byte=(*p++);
     if (byte != 128U)
@@ -174,19 +193,25 @@ static MagickBooleanType DecodeImage(con
     else
       {
         /*
-          Runlength-encoded packet: <count><byte>
+          Runlength-encoded packet: <count><byte>.
         */
-        count=(ssize_t) (*p++);
+        if (((size_t) (p-compressed_pixels) >= length))
+          break;
+        count=(*p++);
         if (count > 0)
-          byte=(*p++);
-        while ((count >= 0) && (q < l))
+          {
+            if (((size_t) (p-compressed_pixels) >= length))
+              break;
+            byte=(*p++);
+          }
+        while ((count >= 0) && ((size_t) (q-pixels) < extent))
         {
           *q++=byte;
           count--;
         }
      }
   }
-  return(MagickTrue);
+  return(((size_t) (q-pixels) == extent) ? MagickTrue : MagickFalse);
 }
 
 /*
@@ -263,8 +288,10 @@ static Image *ReadSUNImage(const ImageIn
     *p;
 
   size_t
+    bytes_per_line,
     extent,
-    length;
+    height,
+    pixels_length;
 
   ssize_t
     count,
@@ -277,9 +304,6 @@ static Image *ReadSUNImage(const ImageIn
     *sun_data,
     *sun_pixels;
 
-  unsigned int
-    bytes_per_line;
-
   /*
     Open image file.
   */
@@ -319,13 +343,14 @@ static Image *ReadSUNImage(const ImageIn
     extent=sun_info.height*sun_info.width;
     if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
-    if ((sun_info.depth == 0) || (sun_info.depth > 32))
-      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
         (sun_info.type != RT_FORMAT_RGB))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if ((sun_info.maptype == RMT_NONE) && (sun_info.maplength != 0))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if ((sun_info.depth != 1) && (sun_info.depth != 8) &&
+        (sun_info.depth != 24) && (sun_info.depth != 32))
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if ((sun_info.maptype != RMT_NONE) && (sun_info.maptype != RMT_EQUAL_RGB) &&
         (sun_info.maptype != RMT_RAW))
       ThrowReaderException(CoderError,"ColormapTypeNotSupported");
@@ -338,7 +363,6 @@ static Image *ReadSUNImage(const ImageIn
         size_t
           one;
 
-        image->storage_class=PseudoClass;
         image->colors=sun_info.maplength;
         one=1;
         if (sun_info.maptype == RMT_NONE)
@@ -411,48 +435,77 @@ static Image *ReadSUNImage(const ImageIn
         (void) CloseBlob(image);
         return(GetFirstImageInList(image));
       }
-    if ((sun_info.length*sizeof(*sun_data))/sizeof(*sun_data) !=
-        sun_info.length || !sun_info.length)
-      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    number_pixels=(MagickSizeType) image->columns*image->rows;
-    if ((sun_info.type != RT_ENCODED) && (sun_info.depth >= 8) &&
-        ((number_pixels*((sun_info.depth+7)/8)) > sun_info.length))
+    status=SetImageExtent(image,image->columns,image->rows);
+    if (status == MagickFalse)
+      {
+        InheritException(exception,&image->exception);
+        return(DestroyImageList(image));
+      }
+    if (sun_info.length == 0)
+      ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+    number_pixels=(MagickSizeType) (image->columns*image->rows);
+    if ((sun_info.type != RT_ENCODED) &&
+        ((number_pixels*sun_info.depth) > (8UL*sun_info.length)))
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if (HeapOverflowSanityCheck(sun_info.width,sun_info.depth) != MagickFalse)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     bytes_per_line=sun_info.width*sun_info.depth;
-    sun_data=(unsigned char *) AcquireQuantumMemory((size_t) MagickMax(
-      sun_info.length,bytes_per_line*sun_info.width),sizeof(*sun_data));
+    sun_data=(unsigned char *) AcquireQuantumMemory(sun_info.length,
+      sizeof(*sun_data));
     if (sun_data == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     count=(ssize_t) ReadBlob(image,sun_info.length,sun_data);
     if (count != (ssize_t) sun_info.length)
-      ThrowReaderException(CorruptImageError,"UnableToReadImageData");
-    sun_pixels=sun_data;
-    bytes_per_line=0;
-    if (sun_info.type == RT_ENCODED)
       {
-        size_t
-          height;
-
-        /*
-          Read run-length encoded raster pixels.
-        */
-        height=sun_info.height;
-        if ((height == 0) || (sun_info.width == 0) || (sun_info.depth == 0) ||
-            ((bytes_per_line/sun_info.depth) != sun_info.width))
-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        bytes_per_line+=15;
-        bytes_per_line<<=1;
-        if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15))
-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        bytes_per_line>>=4;
-        sun_pixels=(unsigned char *) AcquireQuantumMemory(height,
-          bytes_per_line*sizeof(*sun_pixels));
-        if (sun_pixels == (unsigned char *) NULL)
-          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        (void) DecodeImage(sun_data,sun_info.length,sun_pixels,bytes_per_line*
-          height);
         sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+        ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+      }
+    height=sun_info.height;
+    if ((height == 0) || (sun_info.width == 0) || (sun_info.depth == 0) ||
+        ((bytes_per_line/sun_info.depth) != sun_info.width))
+      {
+        sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+        ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+      }
+    bytes_per_line+=15;
+    bytes_per_line<<=1;
+    if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15))
+      {
+        sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+        ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+      }
+    bytes_per_line>>=4;
+    if (HeapOverflowSanityCheck(height,bytes_per_line) != MagickFalse)
+      {
+        sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+        ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
       }
+    pixels_length=height*(MagickMax(image->columns,bytes_per_line)+1);
+    sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length,
+      sizeof(*sun_pixels));
+    if (sun_pixels == (unsigned char *) NULL)
+      {
+        sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+      }
+    ResetMagickMemory(sun_pixels,0,pixels_length*sizeof(*sun_pixels));
+    if (sun_info.type == RT_ENCODED)
+      {
+        status=DecodeImage(sun_data,sun_info.length,sun_pixels,pixels_length);
+        if (status == MagickFalse)
+          ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+      }
+    else
+      {
+        if (sun_info.length > pixels_length)
+          {
+            sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+            sun_pixels=(unsigned char *) RelinquishMagickMemory(sun_pixels);
+            ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+          }
+        (void) CopyMagickMemory(sun_pixels,sun_data,sun_info.length);
+      }
+    sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
     /*
       Convert SUN raster image to pixel packets.
     */
@@ -491,11 +544,6 @@ static Image *ReadSUNImage(const ImageIn
     else
       if (image->storage_class == PseudoClass)
         {
-          length=image->rows*(image->columns+image->columns % 2);
-          if (((sun_info.type == RT_ENCODED) &&
-               (length > (bytes_per_line*image->rows))) ||
-              ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           for (y=0; y < (ssize_t) image->rows; y++)
           {
             q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -503,7 +551,10 @@ static Image *ReadSUNImage(const ImageIn
               break;
             indexes=GetAuthenticIndexQueue(image);
             for (x=0; x < (ssize_t) image->columns; x++)
-              SetPixelIndex(indexes+x,*p++);
+            {
+              SetPixelIndex(indexes+x,ConstrainColormapIndex(image,*p));
+              p++;
+            }
             if ((image->columns % 2) != 0)
               p++;
             if (SyncAuthenticPixels(image,exception) == MagickFalse)
@@ -525,12 +576,6 @@ static Image *ReadSUNImage(const ImageIn
           bytes_per_pixel=3;
           if (image->matte != MagickFalse)
             bytes_per_pixel++;
-          length=image->rows*((bytes_per_line*image->columns)+
-            image->columns % 2);
-          if (((sun_info.type == RT_ENCODED) &&
-               (length > (bytes_per_line*image->rows))) ||
-              ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           for (y=0; y < (ssize_t) image->rows; y++)
           {
             q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);

Places

File ImageMagick-CVE-2015-8958,CVE-2016-7518.patch of Package ImageMagick.9293

Places