File ImageMagick-CVE-2016-8707.patch of Package ImageMagick
From e5dc6d628a1c6049dc95adcea5e49aaa7ef2c778 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 2 Dec 2016 11:07:56 -0500
Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS
---
coders/tiff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: ImageMagick-6.8.9-8/coders/tiff.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/tiff.c 2016-12-13 11:20:21.303182880 +0100
+++ ImageMagick-6.8.9-8/coders/tiff.c 2016-12-13 11:29:56.260977266 +0100
@@ -1340,9 +1340,9 @@ RestoreMSCWarning
rows_per_strip);
(void) SetImageProperty(image,"tiff:rows-per-strip",value);
}
- if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_CONTIG))
+ if ((samples_per_pixel >= 3) && (interlace == PLANARCONFIG_CONTIG))
method=ReadRGBAMethod;
- if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_SEPARATE))
+ if ((samples_per_pixel >= 4) && (interlace == PLANARCONFIG_SEPARATE))
method=ReadCMYKAMethod;
if ((photometric != PHOTOMETRIC_RGB) &&
(photometric != PHOTOMETRIC_CIELAB) &&
@@ -1362,7 +1362,12 @@ RestoreMSCWarning
method=ReadTileMethod;
quantum_info->endian=LSBEndian;
quantum_type=RGBQuantum;
- pixels=GetQuantumPixels(quantum_info);
+ pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+sizeof(uint32));
+ if (pixels == (unsigned char *) NULL)
+ {
+ TIFFClose(tiff);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
switch (method)
{
case ReadSingleSampleMethod:
@@ -1445,7 +1450,6 @@ RestoreMSCWarning
TIFFClose(tiff);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
}
- pixels=GetQuantumPixels(quantum_info);
for (y=0; y < (ssize_t) image->rows; y++)
{
int
@@ -1503,7 +1507,6 @@ RestoreMSCWarning
TIFFClose(tiff);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
}
- pixels=GetQuantumPixels(quantum_info);
for (y=0; y < (ssize_t) image->rows; y++)
{
int
@@ -1827,6 +1830,7 @@ RestoreMSCWarning
break;
}
}
+ pixels=(unsigned char *) RelinquishMagickMemory(pixels);
SetQuantumImageType(image,quantum_type);
next_tiff_frame:
if (quantum_info != (QuantumInfo *) NULL)
@@ -3408,7 +3412,6 @@ RestoreMSCWarning
if (GetTIFFInfo(image_info,tiff,&tiff_info) == MagickFalse)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
quantum_info->endian=LSBEndian;
- pixels=GetQuantumPixels(quantum_info);
tiff_info.scanline=GetQuantumPixels(quantum_info);
switch (photometric)
{