File ImageMagick-CVE-2017-8345,8350.patch of Package ImageMagick.16891
From 8919f333923ad144068fd028d274ca640750e9e6 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Thu, 27 Apr 2017 11:29:45 +0200
Subject: [PATCH] Refactored MngInfoFreeStruct.
---
coders/png.c | 81 ++++++++++++++++++++++--------------------------------------
1 file changed, 30 insertions(+), 51 deletions(-)
Index: ImageMagick-6.8.8-1/coders/png.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/png.c 2017-05-03 13:55:52.702560619 +0200
+++ ImageMagick-6.8.8-1/coders/png.c 2017-05-03 14:31:17.646030137 +0200
@@ -1701,24 +1701,22 @@ static void MngInfoDiscardObject(MngInfo
}
}
-static void MngInfoFreeStruct(MngInfo *mng_info,
- MagickBooleanType *have_mng_structure)
+static MngInfo *MngInfoFreeStruct(MngInfo *mng_info)
{
- if (*have_mng_structure != MagickFalse && (mng_info != (MngInfo *) NULL))
- {
- register ssize_t
- i;
+ register ssize_t
+ i;
+
+ if (mng_info == (MngInfo *) NULL)
+ return((MngInfo *) NULL);
- for (i=1; i < MNG_MAX_OBJECTS; i++)
- MngInfoDiscardObject(mng_info,i);
+ for (i=1; i < MNG_MAX_OBJECTS; i++)
+ MngInfoDiscardObject(mng_info,i);
- if (mng_info->global_plte != (png_colorp) NULL)
- mng_info->global_plte=(png_colorp)
- RelinquishMagickMemory(mng_info->global_plte);
+ if (mng_info->global_plte != (png_colorp) NULL)
+ mng_info->global_plte=(png_colorp)
+ RelinquishMagickMemory(mng_info->global_plte);
- mng_info=(MngInfo *) RelinquishMagickMemory(mng_info);
- *have_mng_structure=MagickFalse;
- }
+ return((MngInfo *) RelinquishMagickMemory(mng_info));
}
static MngBox mng_minimum_box(MngBox box1,MngBox box2)
@@ -3961,7 +3959,6 @@ static Image *ReadPNGImage(const ImageIn
*previous;
MagickBooleanType
- have_mng_structure,
logging,
status;
@@ -4005,7 +4002,6 @@ static Image *ReadPNGImage(const ImageIn
/*
Allocate a MngInfo structure.
*/
- have_mng_structure=MagickFalse;
mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
if (mng_info == (MngInfo *) NULL)
@@ -4016,11 +4012,10 @@ static Image *ReadPNGImage(const ImageIn
*/
(void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
mng_info->image=image;
- have_mng_structure=MagickTrue;
previous=image;
image=ReadOnePNGImage(mng_info,image_info,exception);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
+ mng_info=MngInfoFreeStruct(mng_info);
if (image == (Image *) NULL)
{
@@ -4206,7 +4201,7 @@ static Image *ReadOneJNGImage(MngInfo *m
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- return((Image *) NULL);
+ return(DestroyImageList(image));
image=SyncNextImageInList(image);
}
@@ -4379,7 +4374,7 @@ static Image *ReadOneJNGImage(MngInfo *m
exception);
if (status == MagickFalse)
- return((Image *) NULL);
+ return(DestroyImageList(image));
if ((image_info->ping == MagickFalse) && (jng_color_type >= 12))
{
@@ -4409,7 +4404,7 @@ static Image *ReadOneJNGImage(MngInfo *m
exception);
if (status == MagickFalse)
- return((Image *) NULL);
+ return(DestroyImageList(image));
if (jng_alpha_compression_method == 0)
{
@@ -4684,7 +4679,7 @@ static Image *ReadOneJNGImage(MngInfo *m
color_image_info=DestroyImageInfo(color_image_info);
if (jng_image == (Image *) NULL)
- return((Image *) NULL);
+ return(DestroyImageList(image));
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -4838,7 +4833,6 @@ static Image *ReadJNGImage(const ImageIn
*previous;
MagickBooleanType
- have_mng_structure,
logging,
status;
@@ -4865,7 +4859,7 @@ static Image *ReadJNGImage(const ImageIn
status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
if (status == MagickFalse)
- return((Image *) NULL);
+ return(DestroyImageList(image));
if (LocaleCompare(image_info->magick,"JNG") != 0)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
@@ -4879,7 +4873,6 @@ static Image *ReadJNGImage(const ImageIn
/* Allocate a MngInfo structure. */
- have_mng_structure=MagickFalse;
mng_info=(MngInfo *) AcquireMagickMemory(sizeof(*mng_info));
if (mng_info == (MngInfo *) NULL)
@@ -4888,11 +4881,10 @@ static Image *ReadJNGImage(const ImageIn
/* Initialize members of the MngInfo structure. */
(void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
- have_mng_structure=MagickTrue;
mng_info->image=image;
image=ReadOneJNGImage(mng_info,image_info,exception);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
+ mng_info=MngInfoFreeStruct(mng_info);
if (image == (Image *) NULL)
{
@@ -4920,7 +4912,8 @@ static Image *ReadJNGImage(const ImageIn
}
#endif
-static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
+ ExceptionInfo *exception)
{
char
page_geometry[MaxTextExtent];
@@ -4930,8 +4923,7 @@ static Image *ReadMNGImage(const ImageIn
*previous;
MagickBooleanType
- logging,
- have_mng_structure;
+ logging;
volatile int
first_mng_object,
@@ -4948,9 +4940,6 @@ static Image *ReadMNGImage(const ImageIn
MagickOffsetType
offset;
- MngInfo
- *mng_info;
-
MngBox
default_fb,
fb,
@@ -5021,37 +5010,10 @@ static Image *ReadMNGImage(const ImageIn
default_fb.left=0;
default_fb.right=0;
- /* Open image file. */
-
- assert(image_info != (const ImageInfo *) NULL);
- assert(image_info->signature == MagickSignature);
- (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image_info->filename);
- assert(exception != (ExceptionInfo *) NULL);
- assert(exception->signature == MagickSignature);
- logging=LogMagickEvent(CoderEvent,GetMagickModule(),"Enter ReadMNGImage()");
- image=AcquireImage(image_info);
- mng_info=(MngInfo *) NULL;
- status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
-
- if (status == MagickFalse)
- return((Image *) NULL);
-
- first_mng_object=MagickFalse;
- skipping_loop=(-1);
- have_mng_structure=MagickFalse;
-
- /* Allocate a MngInfo structure. */
-
- mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
-
- if (mng_info == (MngInfo *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-
- /* Initialize members of the MngInfo structure. */
+ logging=LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Enter ReadOneMNGImage()");
- (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
- mng_info->image=image;
- have_mng_structure=MagickTrue;
+ image=mng_info->image;
if (LocaleCompare(image_info->magick,"MNG") == 0)
{
@@ -5072,6 +5034,7 @@ static Image *ReadMNGImage(const ImageIn
mng_info->exists[0]=MagickTrue;
}
+ skipping_loop=(-1);
first_mng_object=MagickTrue;
mng_type=0;
#if defined(MNG_INSERT_LAYERS)
@@ -5234,7 +5197,7 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- return((Image *) NULL);
+ return(DestroyImageList(image));
image=SyncNextImageInList(image);
mng_info->image=image;
@@ -5685,11 +5648,7 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- {
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
+ return(DestroyImageList(image));
image=SyncNextImageInList(image);
}
@@ -5895,8 +5854,12 @@ static Image *ReadMNGImage(const ImageIn
SEEK_SET);
if (offset < 0)
- ThrowReaderException(CorruptImageError,
- "ImproperImageHeader");
+ {
+ chunk=(unsigned char *) RelinquishMagickMemory(
+ chunk);
+ ThrowReaderException(CorruptImageError,
+ "ImproperImageHeader");
+ }
}
else
@@ -6211,7 +6174,10 @@ static Image *ReadMNGImage(const ImageIn
}
#if defined(MNG_INSERT_LAYERS)
if (length < 8)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
image_width=(size_t) mng_get_long(p);
image_height=(size_t) mng_get_long(&p[4]);
@@ -6239,11 +6205,7 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- {
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
+ return(DestroyImageList(image));
image=SyncNextImageInList(image);
}
@@ -6292,11 +6254,7 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- {
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
+ return(DestroyImageList(image));
image=SyncNextImageInList(image);
}
@@ -6341,11 +6299,7 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- {
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
+ return(DestroyImageList(image));
image=SyncNextImageInList(image);
}
@@ -6416,16 +6370,13 @@ static Image *ReadMNGImage(const ImageIn
(void) CloseBlob(previous);
}
- MngInfoFreeStruct(mng_info,&have_mng_structure);
return((Image *) NULL);
}
if (image->columns == 0 || image->rows == 0)
{
(void) CloseBlob(image);
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
+ return(DestroyImageList(image));
}
mng_info->image=image;
@@ -6536,11 +6487,7 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
- {
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
+ return(DestroyImageList(image));
large_image=SyncNextImageInList(image);
@@ -6620,7 +6567,6 @@ static Image *ReadMNGImage(const ImageIn
(next == (PixelPacket *) NULL))
{
image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
ThrowReaderException(ResourceLimitError,
"MemoryAllocationFailed");
}
@@ -7085,14 +7031,11 @@ static Image *ReadMNGImage(const ImageIn
AcquireNextImage(image_info,image);
if (GetNextImageInList(image) == (Image *) NULL)
{
- image=DestroyImageList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
-
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Allocation failed, returning NULL.");
- return((Image *) NULL);
+ return(DestroyImageList(image));
}
image=SyncNextImageInList(image);
}
@@ -7128,7 +7071,7 @@ static Image *ReadMNGImage(const ImageIn
CoderError,"Linked list is corrupted, beginning of list not found",
"`%s'",image_info->filename);
- return((Image *) NULL);
+ return(DestroyImageList(image));
}
image=GetPreviousImageInList(image);
@@ -7166,11 +7109,7 @@ static Image *ReadMNGImage(const ImageIn
(void) ThrowMagickException(&image->exception,GetMagickModule(),
CoderError,"No visible images in file","`%s'",image_info->filename);
- if (image != (Image *) NULL)
- image=DestroyImageList(image);
-
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
+ return(DestroyImageList(image));
}
if (mng_info->ticks_per_second)
@@ -7302,9 +7241,63 @@ static Image *ReadMNGImage(const ImageIn
}
}
- image=GetFirstImageInList(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- have_mng_structure=MagickFalse;
+ if (logging != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " exit ReadOneJNGImage();");
+
+ return(image);
+}
+
+static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+{
+ Image
+ *image;
+
+ MagickBooleanType
+ logging,
+ status;
+
+ MngInfo
+ *mng_info;
+
+ /* Open image file. */
+
+ assert(image_info != (const ImageInfo *) NULL);
+ assert(image_info->signature == MagickSignature);
+ (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image_info->filename);
+ assert(exception != (ExceptionInfo *) NULL);
+ assert(exception->signature == MagickSignature);
+ logging=LogMagickEvent(CoderEvent,GetMagickModule(),"Enter ReadMNGImage()");
+ image=AcquireImage(image_info);
+ mng_info=(MngInfo *) NULL;
+ status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
+
+ if (status == MagickFalse)
+ return((Image *) NULL);
+
+ /* Allocate a MngInfo structure. */
+
+ mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
+
+ if (mng_info == (MngInfo *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ /* Initialize members of the MngInfo structure. */
+
+ (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
+ mng_info->image=image;
+ image=ReadOneMNGImage(mng_info,image_info,exception);
+ mng_info=MngInfoFreeStruct(mng_info);
+
+ if (image == (Image *) NULL)
+ {
+ if (logging != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "exit ReadMNGImage() with error");
+
+ return((Image *) NULL);
+ }
+ (void) CloseBlob(image);
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"exit ReadMNGImage()");
@@ -11500,7 +11493,6 @@ static MagickBooleanType WritePNGImage(c
MagickBooleanType
excluding,
logging,
- have_mng_structure,
status;
MngInfo
@@ -11525,7 +11517,6 @@ static MagickBooleanType WritePNGImage(c
/*
Allocate a MngInfo structure.
*/
- have_mng_structure=MagickFalse;
mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
if (mng_info == (MngInfo *) NULL)
@@ -11537,7 +11528,6 @@ static MagickBooleanType WritePNGImage(c
(void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
mng_info->image=image;
mng_info->equal_backgrounds=MagickTrue;
- have_mng_structure=MagickTrue;
/* See if user has requested a specific PNG subformat */
@@ -12276,7 +12266,7 @@ static MagickBooleanType WritePNGImage(c
(void) CloseBlob(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
+ mng_info=MngInfoFreeStruct(mng_info);
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"exit WritePNGImage()");
@@ -12877,7 +12867,6 @@ static MagickBooleanType WriteOneJNGImag
static MagickBooleanType WriteJNGImage(const ImageInfo *image_info,Image *image)
{
MagickBooleanType
- have_mng_structure,
logging,
status;
@@ -12900,7 +12889,6 @@ static MagickBooleanType WriteJNGImage(c
/*
Allocate a MngInfo structure.
*/
- have_mng_structure=MagickFalse;
mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
if (mng_info == (MngInfo *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
@@ -12909,15 +12897,14 @@ static MagickBooleanType WriteJNGImage(c
*/
(void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
mng_info->image=image;
- have_mng_structure=MagickTrue;
(void) WriteBlob(image,8,(const unsigned char *) "\213JNG\r\n\032\n");
status=WriteOneJNGImage(mng_info,image_info,image);
+ mng_info=MngInfoFreeStruct(mng_info);
(void) CloseBlob(image);
(void) CatchImageException(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" exit WriteJNGImage()");
@@ -12936,7 +12923,6 @@ static MagickBooleanType WriteMNGImage(c
*next_image;
MagickBooleanType
- have_mng_structure,
status;
volatile MagickBooleanType
@@ -12998,7 +12984,6 @@ static MagickBooleanType WriteMNGImage(c
/*
Allocate a MngInfo structure.
*/
- have_mng_structure=MagickFalse;
mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
if (mng_info == (MngInfo *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
@@ -13007,7 +12992,6 @@ static MagickBooleanType WriteMNGImage(c
*/
(void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
mng_info->image=image;
- have_mng_structure=MagickTrue;
write_mng=LocaleCompare(image_info->magick,"MNG") == 0;
/*
@@ -13765,7 +13749,7 @@ static MagickBooleanType WriteMNGImage(c
if (status == MagickFalse)
{
- MngInfoFreeStruct(mng_info,&have_mng_structure);
+ mng_info=MngInfoFreeStruct(mng_info);
(void) CloseBlob(image);
return(MagickFalse);
}
@@ -13798,7 +13782,7 @@ static MagickBooleanType WriteMNGImage(c
Relinquish resources.
*/
(void) CloseBlob(image);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
+ mng_info=MngInfoFreeStruct(mng_info);
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"exit WriteMNGImage()");