File ImageMagick-CVE-2017-12654.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c 2018-01-30 14:18:17.854378699 +0100
+++ ImageMagick-6.8.8-1/coders/pict.c 2018-01-30 14:20:27.288577400 +0100
@@ -73,27 +73,6 @@
/*
ImageMagick Macintosh PICT Methods.
*/
-#define ReadPixmap(pixmap) \
-{ \
- pixmap.version=(short) ReadBlobMSBShort(image); \
- pixmap.pack_type=(short) ReadBlobMSBShort(image); \
- pixmap.pack_size=ReadBlobMSBLong(image); \
- pixmap.horizontal_resolution=1UL*ReadBlobMSBShort(image); \
- (void) ReadBlobMSBShort(image); \
- pixmap.vertical_resolution=1UL*ReadBlobMSBShort(image); \
- (void) ReadBlobMSBShort(image); \
- pixmap.pixel_type=(short) ReadBlobMSBShort(image); \
- pixmap.bits_per_pixel=(short) ReadBlobMSBShort(image); \
- pixmap.component_count=(short) ReadBlobMSBShort(image); \
- pixmap.component_size=(short) ReadBlobMSBShort(image); \
- pixmap.plane_bytes=ReadBlobMSBLong(image); \
- pixmap.table=ReadBlobMSBLong(image); \
- pixmap.reserved=ReadBlobMSBLong(image); \
- if ((pixmap.bits_per_pixel <= 0) || (pixmap.bits_per_pixel > 32) || \
- (pixmap.component_count <= 0) || (pixmap.component_count > 4) || \
- (pixmap.component_size <= 0)) \
- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); \
-}
typedef struct _PICTCode
{
@@ -785,6 +764,29 @@ static inline size_t MagickMax(const siz
return(y);
}
+static MagickBooleanType ReadPixmap(Image *image,PICTPixmap *pixmap)
+{
+ pixmap->version=(short) ReadBlobMSBShort(image);
+ pixmap->pack_type=(short) ReadBlobMSBShort(image);
+ pixmap->pack_size=ReadBlobMSBLong(image);
+ pixmap->horizontal_resolution=1UL*ReadBlobMSBShort(image);
+ (void) ReadBlobMSBShort(image);
+ pixmap->vertical_resolution=1UL*ReadBlobMSBShort(image);
+ (void) ReadBlobMSBShort(image);
+ pixmap->pixel_type=(short) ReadBlobMSBShort(image);
+ pixmap->bits_per_pixel=(short) ReadBlobMSBShort(image);
+ pixmap->component_count=(short) ReadBlobMSBShort(image);
+ pixmap->component_size=(short) ReadBlobMSBShort(image);
+ pixmap->plane_bytes=ReadBlobMSBLong(image);
+ pixmap->table=ReadBlobMSBLong(image);
+ pixmap->reserved=ReadBlobMSBLong(image);
+ if ((EOFBlob(image) != MagickFalse) || (pixmap->bits_per_pixel <= 0) ||
+ (pixmap->bits_per_pixel > 32) || (pixmap->component_count <= 0) ||
+ (pixmap->component_count > 4) || (pixmap->component_size <= 0))
+ return(MagickFalse);
+ return(MagickTrue);
+}
+
static MagickBooleanType ReadRectangle(Image *image,PICTRectangle *rectangle)
{
rectangle->top=(short) ReadBlobMSBShort(image);
@@ -987,7 +989,8 @@ static Image *ReadPICTImage(const ImageI
length=ReadBlobMSBShort(image);
if (ReadRectangle(image,&frame) == MagickFalse)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- ReadPixmap(pixmap);
+ if (ReadPixmap(image,&pixmap) == MagickFalse)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
image->depth=1UL*pixmap.component_size;
image->x_resolution=1.0*pixmap.horizontal_resolution;
image->y_resolution=1.0*pixmap.vertical_resolution;
@@ -1100,7 +1103,12 @@ static Image *ReadPICTImage(const ImageI
if ((code == 0x9a) || (code == 0x9b) ||
((bytes_per_line & 0x8000) != 0))
{
- ReadPixmap(pixmap);
+ if (ReadPixmap(image,&pixmap) == MagickFalse)
+ {
+ tile_image=DestroyImage(tile_image);
+ ThrowReaderException(CorruptImageError,
+ "ImproperImageHeader");
+ }
tile_image->depth=1UL*pixmap.component_size;
tile_image->matte=pixmap.component_count == 4 ?
MagickTrue : MagickFalse;
