File ImageMagick-CVE-2017-12654.patch of Package ImageMagick.9182

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-CVE-2017-12654.patch of Package ImageMagick.9182

Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c	2018-01-30 14:18:17.854378699 +0100
+++ ImageMagick-6.8.8-1/coders/pict.c	2018-01-30 14:20:27.288577400 +0100
@@ -73,27 +73,6 @@
 /*
   ImageMagick Macintosh PICT Methods.
 */
-#define ReadPixmap(pixmap) \
-{ \
-  pixmap.version=(short) ReadBlobMSBShort(image); \
-  pixmap.pack_type=(short) ReadBlobMSBShort(image); \
-  pixmap.pack_size=ReadBlobMSBLong(image); \
-  pixmap.horizontal_resolution=1UL*ReadBlobMSBShort(image); \
-  (void) ReadBlobMSBShort(image); \
-  pixmap.vertical_resolution=1UL*ReadBlobMSBShort(image); \
-  (void) ReadBlobMSBShort(image); \
-  pixmap.pixel_type=(short) ReadBlobMSBShort(image); \
-  pixmap.bits_per_pixel=(short) ReadBlobMSBShort(image); \
-  pixmap.component_count=(short) ReadBlobMSBShort(image); \
-  pixmap.component_size=(short) ReadBlobMSBShort(image); \
-  pixmap.plane_bytes=ReadBlobMSBLong(image); \
-  pixmap.table=ReadBlobMSBLong(image); \
-  pixmap.reserved=ReadBlobMSBLong(image); \
-  if ((pixmap.bits_per_pixel <= 0) || (pixmap.bits_per_pixel > 32) || \
-      (pixmap.component_count <= 0) || (pixmap.component_count > 4) || \
-      (pixmap.component_size <= 0)) \
-    ThrowReaderException(CorruptImageError,"ImproperImageHeader"); \
-}
 
 typedef struct _PICTCode
 {
@@ -785,6 +764,29 @@ static inline size_t MagickMax(const siz
   return(y);
 }
 
+static MagickBooleanType ReadPixmap(Image *image,PICTPixmap *pixmap)
+{
+  pixmap->version=(short) ReadBlobMSBShort(image);
+  pixmap->pack_type=(short) ReadBlobMSBShort(image);
+  pixmap->pack_size=ReadBlobMSBLong(image);
+  pixmap->horizontal_resolution=1UL*ReadBlobMSBShort(image);
+  (void) ReadBlobMSBShort(image);
+  pixmap->vertical_resolution=1UL*ReadBlobMSBShort(image);
+  (void) ReadBlobMSBShort(image);
+  pixmap->pixel_type=(short) ReadBlobMSBShort(image);
+  pixmap->bits_per_pixel=(short) ReadBlobMSBShort(image);
+  pixmap->component_count=(short) ReadBlobMSBShort(image);
+  pixmap->component_size=(short) ReadBlobMSBShort(image);
+  pixmap->plane_bytes=ReadBlobMSBLong(image);
+  pixmap->table=ReadBlobMSBLong(image);
+  pixmap->reserved=ReadBlobMSBLong(image);
+  if ((EOFBlob(image) != MagickFalse) || (pixmap->bits_per_pixel <= 0) ||
+      (pixmap->bits_per_pixel > 32) || (pixmap->component_count <= 0) ||
+      (pixmap->component_count > 4) || (pixmap->component_size <= 0))
+    return(MagickFalse);
+  return(MagickTrue);
+}
+
 static MagickBooleanType ReadRectangle(Image *image,PICTRectangle *rectangle)
 {
   rectangle->top=(short) ReadBlobMSBShort(image);
@@ -987,7 +989,8 @@ static Image *ReadPICTImage(const ImageI
             length=ReadBlobMSBShort(image);
             if (ReadRectangle(image,&frame) == MagickFalse)
               ThrowReaderException(CorruptImageError,"ImproperImageHeader");
-            ReadPixmap(pixmap);
+            if (ReadPixmap(image,&pixmap) == MagickFalse)
+              ThrowReaderException(CorruptImageError,"ImproperImageHeader");
             image->depth=1UL*pixmap.component_size;
             image->x_resolution=1.0*pixmap.horizontal_resolution;
             image->y_resolution=1.0*pixmap.vertical_resolution;
@@ -1100,7 +1103,12 @@ static Image *ReadPICTImage(const ImageI
             if ((code == 0x9a) || (code == 0x9b) ||
                 ((bytes_per_line & 0x8000) != 0))
               {
-                ReadPixmap(pixmap);
+                if (ReadPixmap(image,&pixmap) == MagickFalse)
+                  {
+                    tile_image=DestroyImage(tile_image);
+                    ThrowReaderException(CorruptImageError,
+                      "ImproperImageHeader");
+                  }
                 tile_image->depth=1UL*pixmap.component_size;
                 tile_image->matte=pixmap.component_count == 4 ?
                   MagickTrue : MagickFalse;

Places

File ImageMagick-CVE-2017-12654.patch of Package ImageMagick.9182

Places