File ImageMagick-CVE-2014-9813.patch of Package ImageMagick.5842
Index: ImageMagick-6.8.8-1/coders/viff.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/viff.c 2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/viff.c 2016-06-14 10:32:14.558879370 +0200
@@ -64,6 +64,7 @@
#include "magick/static.h"
#include "magick/string_.h"
#include "magick/module.h"
+#include "magick/colormap-private.h"
/*
Forward declarations.
@@ -248,7 +249,6 @@ static Image *ReadVIFFImage(const ImageI
y;
unsigned char
- buffer[7],
*pixels;
ViffInfo
@@ -285,64 +285,42 @@ static Image *ReadVIFFImage(const ImageI
/*
Initialize VIFF image.
*/
- count=ReadBlob(image,7,buffer);
- viff_info.file_type=buffer[0];
- viff_info.release=buffer[1];
- viff_info.version=buffer[2];
- viff_info.machine_dependency=buffer[3];
+ (void) ReadBlob(image,sizeof(viff_info.file_type),&viff_info.file_type);
+ (void) ReadBlob(image,sizeof(viff_info.release),&viff_info.release);
+ (void) ReadBlob(image,sizeof(viff_info.version),&viff_info.version);
+ (void) ReadBlob(image,sizeof(viff_info.machine_dependency),
+ &viff_info.machine_dependency);
+ (void) ReadBlob(image,sizeof(viff_info.reserve),viff_info.reserve);
count=ReadBlob(image,512,(unsigned char *) viff_info.comment);
viff_info.comment[511]='\0';
if (strlen(viff_info.comment) > 4)
(void) SetImageProperty(image,"comment",viff_info.comment);
if ((viff_info.machine_dependency == VFF_DEP_DECORDER) ||
(viff_info.machine_dependency == VFF_DEP_NSORDER))
- {
- viff_info.rows=ReadBlobLSBLong(image);
- viff_info.columns=ReadBlobLSBLong(image);
- viff_info.subrows=ReadBlobLSBLong(image);
- viff_info.x_offset=(int) ReadBlobLSBLong(image);
- viff_info.y_offset=(int) ReadBlobLSBLong(image);
- viff_info.x_bits_per_pixel=(float) ReadBlobLSBLong(image);
- viff_info.y_bits_per_pixel=(float) ReadBlobLSBLong(image);
- viff_info.location_type=ReadBlobLSBLong(image);
- viff_info.location_dimension=ReadBlobLSBLong(image);
- viff_info.number_of_images=ReadBlobLSBLong(image);
- viff_info.number_data_bands=ReadBlobLSBLong(image);
- viff_info.data_storage_type=ReadBlobLSBLong(image);
- viff_info.data_encode_scheme=ReadBlobLSBLong(image);
- viff_info.map_scheme=ReadBlobLSBLong(image);
- viff_info.map_storage_type=ReadBlobLSBLong(image);
- viff_info.map_rows=ReadBlobLSBLong(image);
- viff_info.map_columns=ReadBlobLSBLong(image);
- viff_info.map_subrows=ReadBlobLSBLong(image);
- viff_info.map_enable=ReadBlobLSBLong(image);
- viff_info.maps_per_cycle=ReadBlobLSBLong(image);
- viff_info.color_space_model=ReadBlobLSBLong(image);
- }
+ image->endian=LSBEndian;
else
- {
- viff_info.rows=ReadBlobMSBLong(image);
- viff_info.columns=ReadBlobMSBLong(image);
- viff_info.subrows=ReadBlobMSBLong(image);
- viff_info.x_offset=(int) ReadBlobMSBLong(image);
- viff_info.y_offset=(int) ReadBlobMSBLong(image);
- viff_info.x_bits_per_pixel=(float) ReadBlobMSBLong(image);
- viff_info.y_bits_per_pixel=(float) ReadBlobMSBLong(image);
- viff_info.location_type=ReadBlobMSBLong(image);
- viff_info.location_dimension=ReadBlobMSBLong(image);
- viff_info.number_of_images=ReadBlobMSBLong(image);
- viff_info.number_data_bands=ReadBlobMSBLong(image);
- viff_info.data_storage_type=ReadBlobMSBLong(image);
- viff_info.data_encode_scheme=ReadBlobMSBLong(image);
- viff_info.map_scheme=ReadBlobMSBLong(image);
- viff_info.map_storage_type=ReadBlobMSBLong(image);
- viff_info.map_rows=ReadBlobMSBLong(image);
- viff_info.map_columns=ReadBlobMSBLong(image);
- viff_info.map_subrows=ReadBlobMSBLong(image);
- viff_info.map_enable=ReadBlobMSBLong(image);
- viff_info.maps_per_cycle=ReadBlobMSBLong(image);
- viff_info.color_space_model=ReadBlobMSBLong(image);
- }
+ image->endian=MSBEndian;
+ viff_info.rows=ReadBlobLong(image);
+ viff_info.columns=ReadBlobLong(image);
+ viff_info.subrows=ReadBlobLong(image);
+ viff_info.x_offset=(int) ReadBlobLong(image);
+ viff_info.y_offset=(int) ReadBlobLong(image);
+ viff_info.x_bits_per_pixel=(float) ReadBlobLong(image);
+ viff_info.y_bits_per_pixel=(float) ReadBlobLong(image);
+ viff_info.location_type=ReadBlobLong(image);
+ viff_info.location_dimension=ReadBlobLong(image);
+ viff_info.number_of_images=ReadBlobLong(image);
+ viff_info.number_data_bands=ReadBlobLong(image);
+ viff_info.data_storage_type=ReadBlobLong(image);
+ viff_info.data_encode_scheme=ReadBlobLong(image);
+ viff_info.map_scheme=ReadBlobLong(image);
+ viff_info.map_storage_type=ReadBlobLong(image);
+ viff_info.map_rows=ReadBlobLong(image);
+ viff_info.map_columns=ReadBlobLong(image);
+ viff_info.map_subrows=ReadBlobLong(image);
+ viff_info.map_enable=ReadBlobLong(image);
+ viff_info.maps_per_cycle=ReadBlobLong(image);
+ viff_info.color_space_model=ReadBlobLong(image);
for (i=0; i < 420; i++)
(void) ReadBlobByte(image);
image->columns=viff_info.rows;
@@ -642,7 +620,7 @@ static Image *ReadVIFFImage(const ImageI
}
if ((image->columns % 8) != 0)
{
- for (bit=0; bit < (ssize_t) (image->columns % 8); bit++)
+ for (bit=0; bit < (int) (image->columns % 8); bit++)
if (GetPixelLuma(image,q) < (QuantumRange/2.0))
{
quantum=(size_t) GetPixelIndex(indexes+x+bit);
@@ -953,7 +937,6 @@ static MagickBooleanType WriteVIFFImage(
y;
unsigned char
- buffer[8],
*pixels;
ViffInfo
@@ -1016,7 +999,7 @@ RestoreMSCWarning
/*
Full color VIFF raster.
*/
- viff_info.number_data_bands=image->matte ? 4UL : 3UL;
+ viff_info.number_data_bands=image->matte ? 4U : 3U;
viff_info.color_space_model=VFF_CM_genericRGB;
viff_info.data_storage_type=VFF_TYP_1_BYTE;
packets=viff_info.number_data_bands*number_pixels;
@@ -1050,24 +1033,27 @@ RestoreMSCWarning
/*
Write VIFF image header (pad to 1024 bytes).
*/
- buffer[0]=(unsigned char) viff_info.identifier;
- buffer[1]=(unsigned char) viff_info.file_type;
- buffer[2]=(unsigned char) viff_info.release;
- buffer[3]=(unsigned char) viff_info.version;
- buffer[4]=(unsigned char) viff_info.machine_dependency;
- buffer[5]=(unsigned char) viff_info.reserve[0];
- buffer[6]=(unsigned char) viff_info.reserve[1];
- buffer[7]=(unsigned char) viff_info.reserve[2];
- (void) WriteBlob(image,8,buffer);
+ (void) WriteBlob(image,sizeof(viff_info.identifier),(unsigned char *)
+ &viff_info.identifier);
+ (void) WriteBlob(image,sizeof(viff_info.file_type),(unsigned char *)
+ &viff_info.file_type);
+ (void) WriteBlob(image,sizeof(viff_info.release),(unsigned char *)
+ &viff_info.release);
+ (void) WriteBlob(image,sizeof(viff_info.version),(unsigned char *)
+ &viff_info.version);
+ (void) WriteBlob(image,sizeof(viff_info.machine_dependency),
+ (unsigned char *) &viff_info.machine_dependency);
+ (void) WriteBlob(image,sizeof(viff_info.reserve),(unsigned char *)
+ viff_info.reserve);
(void) WriteBlob(image,512,(unsigned char *) viff_info.comment);
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.rows);
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.columns);
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.subrows);
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.x_offset);
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.y_offset);
- viff_info.x_bits_per_pixel=1U*(63 << 24) | (128 << 16);
+ viff_info.x_bits_per_pixel=(unsigned int) ((63 << 24) | (128 << 16));
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.x_bits_per_pixel);
- viff_info.y_bits_per_pixel=1U*(63 << 24) | (128 << 16);
+ viff_info.y_bits_per_pixel=(unsigned int) ((63 << 24) | (128 << 16));
(void) WriteBlobMSBLong(image,(unsigned int) viff_info.y_bits_per_pixel);
(void) WriteBlobMSBLong(image,viff_info.location_type);
(void) WriteBlobMSBLong(image,viff_info.location_dimension);
