File ImageMagick-CVE-2017-8353.patch of Package ImageMagick.16891
From db773def23bb75c8731dbe5a8565664f5da0fb4d Mon Sep 17 00:00:00 2001
From: cristy <urban-warrior@git.imagemagick.org>
Date: Mon, 12 May 2014 00:15:53 +0000
Subject: [PATCH]
---
coders/pict.c | 47 +++++++++++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 18 deletions(-)
Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c 2017-05-15 12:12:52.520405830 +0200
+++ ImageMagick-6.8.8-1/coders/pict.c 2017-05-15 12:14:18.397899881 +0200
@@ -95,17 +95,6 @@
ThrowReaderException(CorruptImageError,"ImproperImageHeader"); \
}
-#define ReadRectangle(image,rectangle) \
-{ \
- rectangle.top=(short) ReadBlobMSBShort(image); \
- rectangle.left=(short) ReadBlobMSBShort(image); \
- rectangle.bottom=(short) ReadBlobMSBShort(image); \
- rectangle.right=(short) ReadBlobMSBShort(image); \
- if ((rectangle.left > rectangle.right) || \
- (rectangle.top > rectangle.bottom)) \
- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); \
-}
-
typedef struct _PICTCode
{
const char
@@ -796,6 +785,18 @@ static inline size_t MagickMax(const siz
return(y);
}
+static MagickBooleanType ReadRectangle(Image *image,PICTRectangle *rectangle)
+{
+ rectangle->top=(short) ReadBlobMSBShort(image);
+ rectangle->left=(short) ReadBlobMSBShort(image);
+ rectangle->bottom=(short) ReadBlobMSBShort(image);
+ rectangle->right=(short) ReadBlobMSBShort(image);
+ if ((rectangle->left > rectangle->right) ||
+ (rectangle->top > rectangle->bottom))
+ return(MagickFalse);
+ return(MagickTrue);
+}
+
static Image *ReadPICTImage(const ImageInfo *image_info,
ExceptionInfo *exception)
{
@@ -883,7 +884,8 @@ static Image *ReadPICTImage(const ImageI
for (i=0; i < 508; i++)
(void) ReadBlobByte(image);
(void) ReadBlobMSBShort(image); /* skip picture size */
- ReadRectangle(image,frame);
+ if (ReadRectangle(image,&frame) == MagickFalse)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
while ((c=ReadBlobByte(image)) == 0) ;
if (c != 0x11)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
@@ -948,7 +950,8 @@ static Image *ReadPICTImage(const ImageI
(void) ReadBlobByte(image);
break;
}
- ReadRectangle(image,frame);
+ if (ReadRectangle(image,&frame) == MagickFalse)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (((frame.left & 0x8000) != 0) || ((frame.top & 0x8000) != 0))
break;
image->columns=1UL*(frame.right-frame.left);
@@ -982,7 +985,8 @@ static Image *ReadPICTImage(const ImageI
if (pattern != 1)
ThrowReaderException(CorruptImageError,"UnknownPatternType");
length=ReadBlobMSBShort(image);
- ReadRectangle(image,frame);
+ if (ReadRectangle(image,&frame) == MagickFalse)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
ReadPixmap(pixmap);
image->depth=1UL*pixmap.component_size;
image->x_resolution=1.0*pixmap.horizontal_resolution;
@@ -1084,7 +1088,8 @@ static Image *ReadPICTImage(const ImageI
(void) ReadBlobMSBShort(image);
(void) ReadBlobMSBShort(image);
}
- ReadRectangle(image,frame);
+ if (ReadRectangle(image,&frame) == MagickFalse)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
/*
Initialize tile image.
*/
@@ -1152,8 +1157,16 @@ static Image *ReadPICTImage(const ImageI
}
}
}
- ReadRectangle(image,source);
- ReadRectangle(image,destination);
+ if (ReadRectangle(image,&source) == MagickFalse)
+ {
+ tile_image=DestroyImage(tile_image);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+ if (ReadRectangle(image,&destination) == MagickFalse)
+ {
+ tile_image=DestroyImage(tile_image);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
(void) ReadBlobMSBShort(image);
if ((code == 0x91) || (code == 0x99) || (code == 0x9b))
{
@@ -1183,7 +1196,10 @@ static Image *ReadPICTImage(const ImageI
for (y=0; y < (ssize_t) tile_image->rows; y++)
{
if (p > (pixels+extent+image->columns))
- ThrowReaderException(CorruptImageError,"NotEnoughPixelData");
+ {
+ tile_image=DestroyImage(tile_image);
+ ThrowReaderException(CorruptImageError,"NotEnoughPixelData");
+ }
q=QueueAuthenticPixels(tile_image,0,y,tile_image->columns,1,
exception);
if (q == (PixelPacket *) NULL)
@@ -1220,8 +1236,11 @@ static Image *ReadPICTImage(const ImageI
if (tile_image->matte == MagickFalse)
{
if (p > (pixels+extent+2*image->columns))
- ThrowReaderException(CorruptImageError,
- "NotEnoughPixelData");
+ {
+ tile_image=DestroyImage(tile_image);
+ ThrowReaderException(CorruptImageError,
+ "NotEnoughPixelData");
+ }
SetPixelRed(q,ScaleCharToQuantum(*p));
SetPixelGreen(q,ScaleCharToQuantum(
*(p+tile_image->columns)));
@@ -1231,8 +1250,11 @@ static Image *ReadPICTImage(const ImageI
else
{
if (p > (pixels+extent+3*image->columns))
- ThrowReaderException(CorruptImageError,
- "NotEnoughPixelData");
+ {
+ tile_image=DestroyImage(tile_image);
+ ThrowReaderException(CorruptImageError,
+ "NotEnoughPixelData");
+ }
SetPixelAlpha(q,ScaleCharToQuantum(*p));
SetPixelRed(q,ScaleCharToQuantum(
*(p+tile_image->columns)));
@@ -1302,8 +1324,11 @@ static Image *ReadPICTImage(const ImageI
status=SetImageProfile(image,"icc",profile);
profile=DestroyStringInfo(profile);
if (status == MagickFalse)
- ThrowReaderException(ResourceLimitError,
- "MemoryAllocationFailed");
+ {
+ info=(unsigned char *) RelinquishMagickMemory(info);
+ ThrowReaderException(ResourceLimitError,
+ "MemoryAllocationFailed");
+ }
break;
}
case 0x1f2:
@@ -1314,8 +1339,11 @@ static Image *ReadPICTImage(const ImageI
SetStringInfoDatum(profile,info);
status=SetImageProfile(image,"iptc",profile);
if (status == MagickFalse)
- ThrowReaderException(ResourceLimitError,
- "MemoryAllocationFailed");
+ {
+ info=(unsigned char *) RelinquishMagickMemory(info);
+ ThrowReaderException(ResourceLimitError,
+ "MemoryAllocationFailed");
+ }
profile=DestroyStringInfo(profile);
break;
}
@@ -1387,7 +1415,11 @@ static Image *ReadPICTImage(const ImageI
length=ReadBlobMSBLong(image);
for (i=0; i < 6; i++)
(void) ReadBlobMSBLong(image);
- ReadRectangle(image,frame);
+ if (ReadRectangle(image,&frame) == MagickFalse)
+ {
+ (void) fclose(file);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
for (i=0; i < 122; i++)
(void) ReadBlobByte(image);
for (i=0; i < (ssize_t) (length-154); i++)