File ImageMagick-CVE-2018-16644.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c 2019-02-14 15:19:25.847694428 +0100
+++ ImageMagick-6.8.8-1/coders/pict.c 2019-02-14 15:19:27.099700650 +0100
@@ -802,12 +802,25 @@ static MagickBooleanType ReadRectangle(I
static Image *ReadPICTImage(const ImageInfo *image_info,
ExceptionInfo *exception)
{
+#define ThrowPICTException(exception,message) \
+{ \
+ if (tile_image != (Image *) NULL) \
+ tile_image=DestroyImage(tile_image); \
+ if (read_info != (ImageInfo *) NULL) \
+ read_info=DestroyImageInfo(read_info); \
+ ThrowReaderException((exception),(message)); \
+}
char
geometry[MaxTextExtent],
header_ole[4];
Image
- *image;
+ *image,
+ *tile_image;
+
+
+ ImageInfo
+ *read_info;
IndexPacket
index;
@@ -872,6 +885,8 @@ static Image *ReadPICTImage(const ImageI
/*
Read PICT header.
*/
+ read_info=(ImageInfo *) NULL;
+ tile_image=(Image *) NULL;
pixmap.bits_per_pixel=0;
pixmap.component_count=0;
/*
@@ -946,6 +961,9 @@ static Image *ReadPICTImage(const ImageI
Clipping rectangle.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length != 0x000a)
{
for (i=0; i < (ssize_t) (length-2); i++)
@@ -987,6 +1005,9 @@ static Image *ReadPICTImage(const ImageI
if (pattern != 1)
ThrowReaderException(CorruptImageError,"UnknownPatternType");
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (ReadRectangle(image,&frame) == MagickFalse)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (ReadPixmap(image,&pixmap) == MagickFalse)
@@ -998,6 +1019,9 @@ static Image *ReadPICTImage(const ImageI
(void) ReadBlobMSBLong(image);
flags=1L*ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i <= (ssize_t) length; i++)
(void) ReadBlobMSBLong(image);
width=1UL*(frame.bottom-frame.top);
@@ -1049,6 +1073,9 @@ static Image *ReadPICTImage(const ImageI
Skip polygon or region.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
(void) ReadBlobByte(image);
break;
@@ -1076,9 +1103,6 @@ static Image *ReadPICTImage(const ImageI
unsigned char
*pixels;
- Image
- *tile_image;
-
/*
Pixmap clipped by a rectangle.
*/
@@ -1182,6 +1206,9 @@ static Image *ReadPICTImage(const ImageI
Skip region.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
(void) ReadBlobByte(image);
}
@@ -1310,6 +1337,9 @@ static Image *ReadPICTImage(const ImageI
*/
type=ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length == 0)
break;
(void) ReadBlobMSBLong(image);
@@ -1391,12 +1421,6 @@ static Image *ReadPICTImage(const ImageI
FILE
*file;
- Image
- *tile_image;
-
- ImageInfo
- *read_info;
-
int
unique_file;
@@ -1421,6 +1445,9 @@ static Image *ReadPICTImage(const ImageI
return((Image *) NULL);
}
length=ReadBlobMSBLong(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < 6; i++)
(void) ReadBlobMSBLong(image);
if (ReadRectangle(image,&frame) == MagickFalse)
@@ -1464,6 +1491,9 @@ static Image *ReadPICTImage(const ImageI
Skip reserved.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
(void) ReadBlobByte(image);
continue;
@@ -1474,6 +1504,9 @@ static Image *ReadPICTImage(const ImageI
Skip reserved.
*/
length=(size_t) ((code >> 7) & 0xff);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
(void) ReadBlobByte(image);
continue;
Index: ImageMagick-6.8.8-1/coders/dcm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/dcm.c 2019-02-14 15:19:26.063695502 +0100
+++ ImageMagick-6.8.8-1/coders/dcm.c 2019-02-14 15:21:39.600333230 +0100
@@ -3599,6 +3599,8 @@ static Image *ReadDCMImage(const ImageIn
tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
length=(size_t) ReadBlobLSBLong(image);
+ if (length > (size_t) GetBlobSize(image))
+ ThrowDCMReaderException(CorruptImageError,"InsufficientImageDataInFile");
if (tag == 0xFFFEE0DD)
break; /* sequence delimiter tag */
if (tag != 0xFFFEE000)