File ImageMagick-CVE-2017-8344.patch of Package ImageMagick.29977
From 4c6289b2f39a47a430ce27b61d3e3967201e77e8 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 26 Apr 2017 16:58:26 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/446
---
coders/pcx.c | 42 ++++++++++++++++++++++++------------------
1 file changed, 24 insertions(+), 18 deletions(-)
Index: ImageMagick-6.8.8-1/coders/pcx.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pcx.c 2017-05-02 13:36:05.216882223 +0200
+++ ImageMagick-6.8.8-1/coders/pcx.c 2017-05-02 13:45:48.118528713 +0200
@@ -221,11 +221,15 @@ static inline size_t MagickMin(const siz
static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
#define ThrowPCXException(severity,tag) \
- { \
+{ \
+ if (scanline != (unsigned char *) NULL) \
scanline=(unsigned char *) RelinquishMagickMemory(scanline); \
+ if (pixel_info != (MemoryInfo *) NULL) \
pixel_info=RelinquishVirtualMemory(pixel_info); \
- ThrowReaderException(severity,tag); \
- }
+ if (page_table != (MagickOffsetType *) NULL) \
+ page_table=(MagickOffsetType *) RelinquishMagickMemory(page_table); \
+ ThrowReaderException(severity,tag); \
+}
Image
*image;
@@ -302,6 +306,8 @@ static Image *ReadPCXImage(const ImageIn
Determine if this a PCX file.
*/
page_table=(MagickOffsetType *) NULL;
+ scanline=(unsigned char *) NULL;
+ pixel_info=(MemoryInfo *) NULL;
if (LocaleCompare(image_info->magick,"DCX") == 0)
{
size_t
@@ -312,11 +318,11 @@ static Image *ReadPCXImage(const ImageIn
*/
magic=ReadBlobLSBLong(image);
if (magic != 987654321)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ThrowPCXException(CorruptImageError,"ImproperImageHeader");
page_table=(MagickOffsetType *) AcquireQuantumMemory(1024UL,
sizeof(*page_table));
if (page_table == (MagickOffsetType *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ ThrowPCXException(ResourceLimitError,"MemoryAllocationFailed");
for (id=0; id < 1024; id++)
{
page_table[id]=(MagickOffsetType) ReadBlobLSBLong(image);
@@ -328,7 +334,7 @@ static Image *ReadPCXImage(const ImageIn
{
offset=SeekBlob(image,(MagickOffsetType) page_table[0],SEEK_SET);
if (offset < 0)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ThrowPCXException(CorruptImageError,"ImproperImageHeader");
}
file_size=GetBlobSize(image);
count=ReadBlob(image,1,&pcx_info.identifier);
@@ -339,7 +345,7 @@ static Image *ReadPCXImage(const ImageIn
*/
pcx_info.version=(unsigned char) ReadBlobByte(image);
if ((count == 0) || (pcx_info.identifier != 0x0a))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ThrowPCXException(CorruptImageError,"ImproperImageHeader");
pcx_info.encoding=(unsigned char) ReadBlobByte(image);
pcx_info.bits_per_pixel=(unsigned char) ReadBlobByte(image);
pcx_info.left=ReadBlobLSBShort(image);
@@ -357,7 +363,7 @@ static Image *ReadPCXImage(const ImageIn
pcx_info.top)+1UL;
if ((image->columns == 0) || (image->rows == 0) ||
(pcx_info.bits_per_pixel == 0))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ThrowPCXException(CorruptImageError,"ImproperImageHeader");
image->depth=pcx_info.bits_per_pixel <= 8 ? 8U : MAGICKCORE_QUANTUM_DEPTH;
image->units=PixelsPerInchResolution;
image->x_resolution=(double) pcx_info.horizontal_resolution;
@@ -373,7 +379,7 @@ static Image *ReadPCXImage(const ImageIn
image->colors=(size_t) MagickMin(one << (1UL*
(pcx_info.bits_per_pixel*pcx_info.planes)),256UL);
if (AcquireImageColormap(image,image->colors) == MagickFalse)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ ThrowPCXException(ResourceLimitError,"MemoryAllocationFailed");
if ((pcx_info.bits_per_pixel >= 8) && (pcx_info.planes != 1))
image->storage_class=DirectClass;
p=pcx_colormap;
@@ -405,14 +411,14 @@ static Image *ReadPCXImage(const ImageIn
{
/* Not compressed */
if (uncompressed_size > file_size)
- ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"
+ ThrowPCXException(CorruptImageError,"InsufficientImageDataInFile"
);
}
else
{
/* RLE compressed */
if (uncompressed_size > file_size*254.0)
- ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"
+ ThrowPCXException(CorruptImageError,"InsufficientImageDataInFile"
);
}
}
@@ -423,7 +429,7 @@ static Image *ReadPCXImage(const ImageIn
pcx_packets=(size_t) image->rows*pcx_info.bytes_per_line*pcx_info.planes;
if ((size_t) (pcx_info.bits_per_pixel*pcx_info.planes*image->columns) >
(pcx_packets*8U))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ThrowPCXException(CorruptImageError,"ImproperImageHeader");
scanline=(unsigned char *) AcquireQuantumMemory(MagickMax(image->columns,
pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline));
pixel_info=AcquireVirtualMemory(pcx_packets,2*sizeof(*pixels));
@@ -434,7 +440,7 @@ static Image *ReadPCXImage(const ImageIn
scanline=(unsigned char *) RelinquishMagickMemory(scanline);
if (pixel_info != (MemoryInfo *) NULL)
pixel_info=RelinquishVirtualMemory(pixel_info);
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ ThrowPCXException(ResourceLimitError,"MemoryAllocationFailed");
}
pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
/*
@@ -688,7 +694,7 @@ static Image *ReadPCXImage(const ImageIn
break;
offset=SeekBlob(image,(MagickOffsetType) page_table[id],SEEK_SET);
if (offset < 0)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ThrowPCXException(CorruptImageError,"ImproperImageHeader");
count=ReadBlob(image,1,&pcx_info.identifier);
if ((count != 0) && (pcx_info.identifier == 0x0a))
{
