Overview

File ImageMagick-CVE-2016-6823.patch of Package ImageMagick.29977

Index: ImageMagick-6.8.9-8/coders/bmp.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/bmp.c	2016-10-10 19:22:34.547702545 +0200
+++ ImageMagick-6.8.9-8/coders/bmp.c	2016-10-10 19:22:35.051710382 +0200
@@ -1687,6 +1687,9 @@ static MagickBooleanType WriteBMPImage(c
           bmp_info.file_size+=extra_size;
           bmp_info.offset_bits+=extra_size;
         }
+    if ((image->columns != (signed int) image->columns) ||
+        (image->rows != (signed int) image->rows))
+      ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit");
     bmp_info.width=(ssize_t) image->columns;
     bmp_info.height=(ssize_t) image->rows;
     bmp_info.planes=1;
--- ImageMagick-6.8.8-1/coders/pnm.c	2013-12-01 15:47:50.000000000 +0100
+++ pnm.c	2016-11-18 14:50:20.682247894 +0100
@@ -457,6 +457,8 @@ static Image *ReadPNMImage(const ImageIn
           for (x=0; x < (ssize_t) image->columns; x++)
           {
             SetPixelRed(q,PNMInteger(image,2) == 0 ? QuantumRange : 0);
+            if (EOFBlob(image) != MagickFalse)
+              break;
             SetPixelGreen(q,GetPixelRed(q));
             SetPixelBlue(q,GetPixelRed(q));
             q++;
@@ -470,6 +472,8 @@ static Image *ReadPNMImage(const ImageIn
               if (status == MagickFalse)
                 break;
             }
+          if (EOFBlob(image) != MagickFalse)
+            break;
         }
         image->type=BilevelType;
         break;
@@ -497,6 +501,8 @@ static Image *ReadPNMImage(const ImageIn
           for (x=0; x < (ssize_t) image->columns; x++)
           {
             intensity=ScaleAnyToQuantum(PNMInteger(image,10),max_value);
+            if (EOFBlob(image) != MagickFalse)
+              break;
             SetPixelRed(q,intensity);
             SetPixelGreen(q,GetPixelRed(q));
             SetPixelBlue(q,GetPixelRed(q));
@@ -511,6 +517,8 @@ static Image *ReadPNMImage(const ImageIn
               if (status == MagickFalse)
                 break;
             }
+          if (EOFBlob(image) != MagickFalse)
+            break;
         }
         image->type=GrayscaleType;
         break;
@@ -537,6 +545,8 @@ static Image *ReadPNMImage(const ImageIn
               pixel;
 
             pixel=ScaleAnyToQuantum(PNMInteger(image,10),max_value);
+            if (EOFBlob(image) != MagickFalse)
+              break;
             SetPixelRed(q,pixel);
             pixel=ScaleAnyToQuantum(PNMInteger(image,10),max_value);
             SetPixelGreen(q,pixel);
@@ -553,6 +563,8 @@ static Image *ReadPNMImage(const ImageIn
               if (status == MagickFalse)
                 break;
             }
+          if (EOFBlob(image) != MagickFalse)
+            break;
         }
         break;
       }
openSUSE Build Service is sponsored by
Places