Overview

File ImageMagick-CVE-2016-10052.patch of Package ImageMagick.29977

From 9e187b73a8a1290bb0e1a1c878f8be1917aa8742 Mon Sep 17 00:00:00 2001
From: dirk <dirk@git.imagemagick.org>
Date: Sat, 13 Aug 2016 09:06:23 +0200
Subject: [PATCH] Changed the JPEG writer to raise a warning when the exif
 profile exceeds 65533 bytes and truncate it.

---
 coders/jpeg.c      | 11 ++++++++---
 config/english.xml |  3 +++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/coders/jpeg.c b/coders/jpeg.c
index ce38317..7ea1c9d 100644
--- a/coders/jpeg.c
+++ b/coders/jpeg.c
@@ -1918,10 +1918,15 @@ static void WriteProfile(j_compress_ptr jpeg_info,Image *image)
     profile=GetImageProfile(image,name);
     p=GetStringInfoDatum(custom_profile);
     if (LocaleCompare(name,"EXIF") == 0)
-      for (i=0; i < (ssize_t) GetStringInfoLength(profile); i+=65533L)
       {
-        length=MagickMin(GetStringInfoLength(profile)-i,65533L);
-        jpeg_write_marker(jpeg_info,XML_MARKER,GetStringInfoDatum(profile)+i,
+        length=GetStringInfoLength(profile);
+        if (length > 65533L)
+          {
+            (void) ThrowMagickException(&image->exception,GetMagickModule(),
+              CoderWarning,"ExifProfileSizeExceedsLimit",image->filename);
+            length=65533L;
+          }
+        jpeg_write_marker(jpeg_info,XML_MARKER,GetStringInfoDatum(profile),
           (unsigned int) length);
       }
     if (LocaleCompare(name,"ICC") == 0)
openSUSE Build Service is sponsored by
Places