File ImageMagick-CVE-2017-14175.patch of Package ImageMagick

From b8c63b156bf26b52e710b1a0643c846a6cd01e56 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 31 Aug 2017 09:10:37 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/712

---
 coders/xbm.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

Index: ImageMagick-6.8.8-1/coders/xbm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/xbm.c	2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/xbm.c	2017-11-07 13:27:03.634917954 +0100
@@ -132,33 +132,39 @@ static MagickBooleanType IsXBM(const uns
 */
 
 static int XBMInteger(Image *image,short int *hex_digits)
-{
+{ 
   int
-    c,
-    flag,
+    c;
+  
+  unsigned int
     value;
-
-  value=0;
-  flag=0;
-  for ( ; ; )
-  {
+  
+  /*
+    Skip any leading whitespace.
+  */
+  do
+  { 
     c=ReadBlobByte(image);
     if (c == EOF)
-      {
-        value=(-1);
-        break;
-      }
+      return(-1);
+  } while ((c == ' ') || (c == '\t') || (c == '\n') || (c == '\r'));
+  /*
+    Evaluate number.
+  */
+  value=0;
+  while (hex_digits[c] >= 0) { 
+    if (value > (unsigned int) (INT_MAX/10))
+      break;
+    value*=16;
     c&=0xff;
-    if (isxdigit(c) != MagickFalse)
-      {
-        value=(int) ((size_t) value << 4)+hex_digits[c];
-        flag++;
-        continue;
-      }
-    if ((hex_digits[c]) < 0 && (flag != 0))
+    if (value > (unsigned int) (INT_MAX-hex_digits[c]))
       break;
+    value+=hex_digits[c];
+    c=ReadBlobByte(image);
+    if (c == EOF)
+      return(-1);
   }
-  return(value);
+  return((int) value);
 }
 
 static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
@@ -170,6 +176,9 @@ static Image *ReadXBMImage(const ImageIn
   Image
     *image;
 
+  int
+    c;
+
   MagickBooleanType
     status;
 
@@ -195,7 +204,6 @@ static Image *ReadXBMImage(const ImageIn
     bytes_per_line,
     length,
     padding,
-    value,
     version;
 
   ssize_t
@@ -230,6 +238,7 @@ static Image *ReadXBMImage(const ImageIn
   */
   width=0;
   height=0;
+  *name='\0';
   while (ReadBlobString(image,buffer) != (char *) NULL)
     if (sscanf(buffer,"#define %s %lu",name,&width) == 2)
       if ((strlen(name) >= 6) &&
@@ -294,6 +303,8 @@ static Image *ReadXBMImage(const ImageIn
   /*
     Initialize hex values.
   */
+  for (i=0; i < (ssize_t)sizeof(hex_digits)/sizeof(*hex_digits); i++)
+    hex_digits[i]=(-1);
   hex_digits[(int) '0']=0;
   hex_digits[(int) '1']=1;
   hex_digits[(int) '2']=2;
@@ -339,17 +350,28 @@ static Image *ReadXBMImage(const ImageIn
   if (version == 10)
     for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
     {
-      value=(size_t) XBMInteger(image,hex_digits);
-      *p++=(unsigned char) value;
+      c=XBMInteger(image,hex_digits);
+      if (c < 0)
+        break;
+      *p++=(unsigned char) c;
       if ((padding == 0) || (((i+2) % bytes_per_line) != 0))
-        *p++=(unsigned char) (value >> 8);
+        *p++=(unsigned char) (c >> 8);
     }
   else
     for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
     {
-      value=(size_t) XBMInteger(image,hex_digits);
-      *p++=(unsigned char) value;
+      c=XBMInteger(image,hex_digits);
+      if (c < 0)
+        break;
+      *p++=(unsigned char) c;
     }
+
+  if (EOFBlob(image) != MagickFalse)
+    {
+      data=(unsigned char *) RelinquishMagickMemory(data);
+      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+    }
+
   /*
     Convert X bitmap image to pixel packets.
   */
Places

File ImageMagick-CVE-2017-14175.patch of Package ImageMagick

Places
