File ImageMagick-CVE-2017-14175.patch of Package ImageMagick
From b8c63b156bf26b52e710b1a0643c846a6cd01e56 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 31 Aug 2017 09:10:37 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/712
---
coders/xbm.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
Index: ImageMagick-6.8.8-1/coders/xbm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/xbm.c 2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/xbm.c 2017-11-07 13:27:03.634917954 +0100
@@ -132,33 +132,39 @@ static MagickBooleanType IsXBM(const uns
*/
static int XBMInteger(Image *image,short int *hex_digits)
-{
+{
int
- c,
- flag,
+ c;
+
+ unsigned int
value;
-
- value=0;
- flag=0;
- for ( ; ; )
- {
+
+ /*
+ Skip any leading whitespace.
+ */
+ do
+ {
c=ReadBlobByte(image);
if (c == EOF)
- {
- value=(-1);
- break;
- }
+ return(-1);
+ } while ((c == ' ') || (c == '\t') || (c == '\n') || (c == '\r'));
+ /*
+ Evaluate number.
+ */
+ value=0;
+ while (hex_digits[c] >= 0) {
+ if (value > (unsigned int) (INT_MAX/10))
+ break;
+ value*=16;
c&=0xff;
- if (isxdigit(c) != MagickFalse)
- {
- value=(int) ((size_t) value << 4)+hex_digits[c];
- flag++;
- continue;
- }
- if ((hex_digits[c]) < 0 && (flag != 0))
+ if (value > (unsigned int) (INT_MAX-hex_digits[c]))
break;
+ value+=hex_digits[c];
+ c=ReadBlobByte(image);
+ if (c == EOF)
+ return(-1);
}
- return(value);
+ return((int) value);
}
static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
@@ -170,6 +176,9 @@ static Image *ReadXBMImage(const ImageIn
Image
*image;
+ int
+ c;
+
MagickBooleanType
status;
@@ -195,7 +204,6 @@ static Image *ReadXBMImage(const ImageIn
bytes_per_line,
length,
padding,
- value,
version;
ssize_t
@@ -230,6 +238,7 @@ static Image *ReadXBMImage(const ImageIn
*/
width=0;
height=0;
+ *name='\0';
while (ReadBlobString(image,buffer) != (char *) NULL)
if (sscanf(buffer,"#define %s %lu",name,&width) == 2)
if ((strlen(name) >= 6) &&
@@ -294,6 +303,8 @@ static Image *ReadXBMImage(const ImageIn
/*
Initialize hex values.
*/
+ for (i=0; i < (ssize_t)sizeof(hex_digits)/sizeof(*hex_digits); i++)
+ hex_digits[i]=(-1);
hex_digits[(int) '0']=0;
hex_digits[(int) '1']=1;
hex_digits[(int) '2']=2;
@@ -339,17 +350,28 @@ static Image *ReadXBMImage(const ImageIn
if (version == 10)
for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
{
- value=(size_t) XBMInteger(image,hex_digits);
- *p++=(unsigned char) value;
+ c=XBMInteger(image,hex_digits);
+ if (c < 0)
+ break;
+ *p++=(unsigned char) c;
if ((padding == 0) || (((i+2) % bytes_per_line) != 0))
- *p++=(unsigned char) (value >> 8);
+ *p++=(unsigned char) (c >> 8);
}
else
for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
{
- value=(size_t) XBMInteger(image,hex_digits);
- *p++=(unsigned char) value;
+ c=XBMInteger(image,hex_digits);
+ if (c < 0)
+ break;
+ *p++=(unsigned char) c;
}
+
+ if (EOFBlob(image) != MagickFalse)
+ {
+ data=(unsigned char *) RelinquishMagickMemory(data);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+
/*
Convert X bitmap image to pixel packets.
*/