File ImageMagick-CVE-2017-15930.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/coders/png.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/png.c 2017-11-06 13:21:48.028259385 +0100
+++ ImageMagick-6.8.8-1/coders/png.c 2017-11-06 13:37:50.268858434 +0100
@@ -4236,7 +4236,7 @@ static Image *ReadOneJNGImage(MngInfo *m
type[0]='\0';
(void) ConcatenateMagickString(type,"errr",MaxTextExtent);
- length=ReadBlobMSBLong(image);
+ length=(size_t) ReadBlobMSBLong(image);
count=(unsigned int) ReadBlob(image,4,(unsigned char *) type);
if (logging != MagickFalse)
@@ -4338,6 +4338,21 @@ static Image *ReadOneJNGImage(MngInfo *m
if (length)
chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+ /* Rationalize dimensions with blob size if it is available */
+ if (IsBlobSeekable(image))
+ {
+ MagickSizeType
+ blob_size;
+
+ blob_size = GetBlobSize(image);
+ if ((blob_size == 0) ||
+ ((((double) jng_width*jng_height)/blob_size) > 512.0))
+ {
+ chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+ }
+ }
+
continue;
}
@@ -4694,6 +4709,8 @@ static Image *ReadOneJNGImage(MngInfo *m
{
s=GetVirtualPixels(jng_image,0,y,image->columns,1,&image->exception);
q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
+ if ((s == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
+ break;
(void) CopyMagickMemory(q,s,length);
if (SyncAuthenticPixels(image,exception) == MagickFalse)
@@ -4734,6 +4751,8 @@ static Image *ReadOneJNGImage(MngInfo *m
s=GetVirtualPixels(jng_image,0,y,image->columns,1,
&image->exception);
q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
+ if ((s == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
+ break;
if (image->matte != MagickFalse)
for (x=(ssize_t) image->columns; x != 0; x--,q++,s++)