Overview

File ImageMagick-CVE-2017-18028.patch of Package ImageMagick.11106

Index: ImageMagick-6.8.8-1/coders/tiff.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/tiff.c	2018-01-29 16:25:15.880169937 +0100
+++ ImageMagick-6.8.8-1/coders/tiff.c	2018-01-29 17:02:06.365847864 +0100
@@ -901,6 +901,16 @@ static tsize_t TIFFWriteBlob(thandle_t i
 static Image *ReadTIFFImage(const ImageInfo *image_info,
   ExceptionInfo *exception)
 {
+#define ThrowTIFFException(severity,message) \
+{ \
+  if (pixels != (unsigned char *) NULL) \
+    pixels=(unsigned char *) RelinquishMagickMemory(pixels); \
+  if (quantum_info != (QuantumInfo *) NULL) \
+    quantum_info=DestroyQuantumInfo(quantum_info); \
+  TIFFClose(tiff); \
+  ThrowReaderException(severity,message); \
+}
+
   typedef enum
   {
     ReadSingleSampleMethod,
@@ -1253,12 +1263,10 @@ RestoreMSCWarning
      /*
        Allocate memory for the image and pixel buffer.
      */
+     pixels=(unsigned char *) NULL;
      quantum_info=AcquireQuantumInfo(image_info,image);
      if (quantum_info == (QuantumInfo *) NULL)
-       {
-         TIFFClose(tiff);
-         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-       }
+       ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
      if (sample_format == SAMPLEFORMAT_UINT)
        status=SetQuantumFormat(image,quantum_info,UnsignedQuantumFormat);
      if (sample_format == SAMPLEFORMAT_INT)
@@ -1266,11 +1274,7 @@ RestoreMSCWarning
      if (sample_format == SAMPLEFORMAT_IEEEFP)
        status=SetQuantumFormat(image,quantum_info,FloatingPointQuantumFormat);
      if (status == MagickFalse)
-       {
-         TIFFClose(tiff);
-         quantum_info=DestroyQuantumInfo(quantum_info);
-         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-       }
+       ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
      status=MagickTrue;
      switch (photometric)
      {
@@ -1347,10 +1351,7 @@ RestoreMSCWarning
       TIFFScanlineSize(tiff),(size_t) (image->columns*samples_per_pixel*
       pow(2.0,ceil(log(bits_per_sample)/log(2.0)))*sizeof(uint32))));
     if (pixels == (unsigned char *) NULL)
-    {
-      TIFFClose(tiff);
-      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    }
+      ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
     switch (method)
     {
       case ReadSingleSampleMethod:
@@ -1425,10 +1426,7 @@ RestoreMSCWarning
         status=SetQuantumPad(image,quantum_info,pad*pow(2,ceil(log(
           bits_per_sample)/log(2))));
         if (status == MagickFalse)
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-          }
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         for (y=0; y < (ssize_t) image->rows; y++)
         {
           int
@@ -1482,10 +1480,7 @@ RestoreMSCWarning
           }
         status=SetQuantumPad(image,quantum_info,pad*((bits_per_sample+7) >> 3));
         if (status == MagickFalse)
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-          }
+          ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         for (y=0; y < (ssize_t) image->rows; y++)
         {
           int
@@ -1641,24 +1636,19 @@ RestoreMSCWarning
         */
         if ((TIFFGetField(tiff,TIFFTAG_TILEWIDTH,&columns) == 0) ||
             (TIFFGetField(tiff,TIFFTAG_TILELENGTH,&rows) == 0))
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(CoderError,"ImageIsNotTiled");
-          }
+          ThrowTIFFException(CoderError,"ImageIsNotTiled");
         (void) SetImageStorageClass(image,DirectClass);
+        if (CheckMemoryOverflow(columns,rows) != MagickFalse)
+          ThrowTIFFException(ImageError,"WidthOrHeightExceedsLimit");
         number_pixels=(MagickSizeType) columns*rows;
+        if (columns*rows > GetBlobSize(image))
+          ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed")
         if (CheckMemoryOverflow(rows,sizeof(*tile_pixels)) != MagickFalse)
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-          }
+          ThrowTIFFException(ImageError,"WidthOrHeightExceedsLimit");
         tile_pixels=(uint32 *) AcquireQuantumMemory(columns,
           rows*sizeof(*tile_pixels));
         if (tile_pixels == (uint32 *) NULL)
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-          }
+          ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         for (y=0; y < (ssize_t) image->rows; y+=rows)
         {
           PixelPacket
@@ -1756,17 +1746,11 @@ RestoreMSCWarning
         */
         number_pixels=(MagickSizeType) image->columns*image->rows;
         if (CheckMemoryOverflow(image->rows,sizeof(*pixels)) != MagickFalse)
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-          }
+          ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         pixel_info=AcquireVirtualMemory(image->columns,image->rows*
           sizeof(*pixels));
         if (pixel_info == (MemoryInfo *) NULL)
-          {
-            TIFFClose(tiff);
-            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-          }
+          ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         pixels=(uint32 *) GetVirtualMemoryBlob(pixel_info);
         (void) TIFFReadRGBAImage(tiff,(uint32) image->columns,(uint32)
           image->rows,(uint32 *) pixels,0);
openSUSE Build Service is sponsored by
Places