File ImageMagick-CVE-2018-16644.patch of Package ImageMagick.9105
Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c 2018-09-10 14:27:47.235975919 +0200
+++ ImageMagick-6.8.8-1/coders/pict.c 2018-09-10 14:27:48.047980070 +0200
@@ -946,6 +946,9 @@ static Image *ReadPICTImage(const ImageI
Clipping rectangle.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length != 0x000a)
{
for (i=0; i < (ssize_t) (length-2); i++)
@@ -987,6 +990,9 @@ static Image *ReadPICTImage(const ImageI
if (pattern != 1)
ThrowReaderException(CorruptImageError,"UnknownPatternType");
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (ReadRectangle(image,&frame) == MagickFalse)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (ReadPixmap(image,&pixmap) == MagickFalse)
@@ -998,6 +1004,9 @@ static Image *ReadPICTImage(const ImageI
(void) ReadBlobMSBLong(image);
flags=1L*ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i <= (ssize_t) length; i++)
(void) ReadBlobMSBLong(image);
width=1UL*(frame.bottom-frame.top);
@@ -1049,6 +1058,9 @@ static Image *ReadPICTImage(const ImageI
Skip polygon or region.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
(void) ReadBlobByte(image);
break;
@@ -1182,6 +1194,9 @@ static Image *ReadPICTImage(const ImageI
Skip region.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
(void) ReadBlobByte(image);
}
@@ -1310,6 +1325,9 @@ static Image *ReadPICTImage(const ImageI
*/
type=ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length == 0)
break;
(void) ReadBlobMSBLong(image);
@@ -1421,6 +1439,9 @@ static Image *ReadPICTImage(const ImageI
return((Image *) NULL);
}
length=ReadBlobMSBLong(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < 6; i++)
(void) ReadBlobMSBLong(image);
if (ReadRectangle(image,&frame) == MagickFalse)
@@ -1464,6 +1485,9 @@ static Image *ReadPICTImage(const ImageI
Skip reserved.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
(void) ReadBlobByte(image);
continue;
@@ -1474,6 +1498,9 @@ static Image *ReadPICTImage(const ImageI
Skip reserved.
*/
length=(size_t) ((code >> 7) & 0xff);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
(void) ReadBlobByte(image);
continue;
Index: ImageMagick-6.8.8-1/coders/dcm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/dcm.c 2018-09-10 14:27:47.379976656 +0200
+++ ImageMagick-6.8.8-1/coders/dcm.c 2018-09-10 14:28:16.372124858 +0200
@@ -3599,6 +3599,8 @@ static Image *ReadDCMImage(const ImageIn
tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
length=(size_t) ReadBlobLSBLong(image);
+ if (length > (size_t) GetBlobSize(image))
+ ThrowDCMException(CorruptImageError,"InsufficientImageDataInFile");
if (tag == 0xFFFEE0DD)
break; /* sequence delimiter tag */
if (tag != 0xFFFEE000)
