File ImageMagick-CVE-2014-9806.patch of Package ImageMagick.16891
From 9fdb9bf2832a1aa2c79002ae5c2ba1e8018e4ff1 Mon Sep 17 00:00:00 2001
From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Thu, 6 Nov 2014 21:09:54 +0000
Subject: Added missing calls to RelinquishUniqueFileResource.
Avoid to leak fd in case of error.
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16971 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/16971
---
coders/dcm.c | 28 +++++++++++++---------------
coders/dot.c | 5 ++++-
coders/exr.c | 10 +++++++++-
coders/pict.c | 2 ++
coders/pwp.c | 6 +++++-
5 files changed, 33 insertions(+), 18 deletions(-)
Index: ImageMagick-6.8.8-1/coders/dcm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/dcm.c 2016-06-09 13:59:37.321065529 +0200
+++ ImageMagick-6.8.8-1/coders/dcm.c 2016-06-09 14:20:34.742326992 +0200
@@ -3561,28 +3561,32 @@ static Image *ReadDCMImage(const ImageIn
unsigned int
tag;
+ tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
+ length=(size_t) ReadBlobLSBLong(image);
+ if (tag == 0xFFFEE0DD)
+ break; /* sequence delimiter tag */
+ if (tag != 0xFFFEE000)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
file=(FILE *) NULL;
unique_file=AcquireUniqueFileResource(filename);
if (unique_file != -1)
file=fdopen(unique_file,"wb");
- if ((unique_file == -1) || (file == (FILE *) NULL))
+ if (file == (FILE *) NULL)
{
+ (void) RelinquishUniqueFileResource(filename);
ThrowFileException(exception,FileOpenError,
"UnableToCreateTemporaryFile",filename);
break;
}
- tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
- length=(size_t) ReadBlobLSBLong(image);
- if (tag == 0xFFFEE0DD)
- break; /* sequence delimiter tag */
- if (tag != 0xFFFEE000)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
for ( ; length != 0; length--)
{
c=ReadBlobByte(image);
if (c == EOF)
- ThrowFileException(exception,CorruptImageError,
- "UnexpectedEndOfFile",image->filename);
+ {
+ ThrowFileException(exception,CorruptImageError,
+ "UnexpectedEndOfFile",image->filename);
+ break;
+ }
(void) fputc(c,file);
}
(void) fclose(file);
Index: ImageMagick-6.8.8-1/coders/dot.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/dot.c 2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/dot.c 2016-06-09 13:59:37.321065529 +0200
@@ -142,7 +142,10 @@ static Image *ReadDOTImage(const ImageIn
graph=agread(GetBlobFileHandle(image),(Agdisc_t *) NULL);
#endif
if (graph == (graph_t *) NULL)
- return ((Image *) NULL);
+ {
+ (void) RelinquishUniqueFileResource(read_info->filename);
+ return ((Image *) NULL);
+ }
option=GetImageOption(image_info,"dot:layout-engine");
if (option == (const char *) NULL)
gvLayout(graphic_context,graph,(char *) "dot");
Index: ImageMagick-6.8.8-1/coders/exr.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/exr.c 2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/exr.c 2016-06-09 13:59:37.321065529 +0200
@@ -192,6 +192,8 @@ static Image *ReadEXRImage(const ImageIn
{
ThrowFileException(exception,BlobError,"UnableToOpenBlob",
ImfErrorMessage());
+ if (LocaleCompare(image_info->filename,read_info->filename) != 0)
+ (void) RelinquishUniqueFileResource(read_info->filename);
read_info=DestroyImageInfo(read_info);
return((Image *) NULL);
}
@@ -214,6 +216,9 @@ static Image *ReadEXRImage(const ImageIn
if (scanline == (ImfRgba *) NULL)
{
(void) ImfCloseInputFile(file);
+ if (LocaleCompare(image_info->filename,read_info->filename) != 0)
+ (void) RelinquishUniqueFileResource(read_info->filename);
+ read_info=DestroyImageInfo(read_info);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
}
for (y=0; y < (ssize_t) image->rows; y++)
@@ -417,15 +422,18 @@ static MagickBooleanType WriteEXRImage(c
ImfDeleteHeader(hdr_info);
if (file == (ImfOutputFile *) NULL)
{
+ (void) RelinquishUniqueFileResource(write_info->filename);
+ write_info=DestroyImageInfo(write_info);
ThrowFileException(&image->exception,BlobError,"UnableToOpenBlob",
ImfErrorMessage());
- write_info=DestroyImageInfo(write_info);
return(MagickFalse);
}
scanline=(ImfRgba *) AcquireQuantumMemory(image->columns,sizeof(*scanline));
if (scanline == (ImfRgba *) NULL)
{
(void) ImfCloseOutputFile(file);
+ (void) RelinquishUniqueFileResource(write_info->filename);
+ write_info=DestroyImageInfo(write_info);
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
}
ResetMagickMemory(scanline,0,image->columns*sizeof(*scanline));
Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c 2016-06-09 13:59:37.321065529 +0200
+++ ImageMagick-6.8.8-1/coders/pict.c 2016-06-09 14:09:47.899350313 +0200
@@ -1377,6 +1377,7 @@ static Image *ReadPICTImage(const ImageI
{
(void) CopyMagickString(image->filename,read_info->filename,
MaxTextExtent);
+ (void) RelinquishUniqueFileResource(read_info->filename);
ThrowFileException(exception,FileOpenError,
"UnableToCreateTemporaryFile",image->filename);
image=DestroyImageList(image);
Index: ImageMagick-6.8.8-1/coders/pwp.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pwp.c 2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/pwp.c 2016-06-09 13:59:37.321065529 +0200
@@ -192,7 +192,10 @@ static Image *ReadPWPImage(const ImageIn
if (c == EOF)
break;
if (LocaleNCompare((char *) (magick+12),"SFW94A",6) != 0)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ (void) RelinquishUniqueFileResource(read_info->filename);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
/*
Dump SFW image to a temporary file.
*/
@@ -201,6 +204,7 @@ static Image *ReadPWPImage(const ImageIn
file=fdopen(unique_file,"wb");
if ((unique_file == -1) || (file == (FILE *) NULL))
{
+ (void) RelinquishUniqueFileResource(read_info->filename);
ThrowFileException(exception,FileOpenError,"UnableToWriteFile",
image->filename);
image=DestroyImageList(image);
