File ImageMagick-CVE-2017-14042.patch of Package ImageMagick.9182

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-CVE-2017-14042.patch of Package ImageMagick.9182

Index: ImageMagick-6.8.8-1/coders/pnm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pnm.c	2017-12-13 14:25:46.190970191 +0100
+++ ImageMagick-6.8.8-1/coders/pnm.c	2017-12-13 14:40:00.339091156 +0100
@@ -149,87 +149,90 @@ static inline ssize_t ConstrainPixel(Ima
   return(offset);
 }
 
-static void PNMComment(Image *image)
-{
+static int PNMComment(Image *image)
+{ 
   int
     c;
-
+  
   char
     *comment;
-
+  
   register char
     *p;
-
+  
   size_t
     extent;
-
+  
   /*
     Read comment.
   */
   comment=AcquireString(GetImageProperty(image,"comment"));
-  extent=MaxTextExtent;
   p=comment+strlen(comment);
-  for (c='#'; (c != EOF) && (c != (int) '\n'); p++)
-  {
+  extent=strlen(comment)+MaxTextExtent;
+  for (c='#'; (c != EOF) && (c != (int) '\n') && (c != (int) '\r'); p++)
+  { 
     if ((size_t) (p-comment+1) >= extent)
-      {
+      { 
         extent<<=1;
-        comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent,
-          sizeof(*comment));
+        comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent,
+          sizeof(*comment)); 
         if (comment == (char *) NULL)
           break;
         p=comment+strlen(comment);
       }
     c=ReadBlobByte(image);
     if (c != EOF)
-      {
+      { 
         *p=(char) c;
         *(p+1)='\0';
       }
   }
   if (comment == (char *) NULL)
-    return;
+    return(c);
   (void) SetImageProperty(image,"comment",comment);
   comment=DestroyString(comment);
+  return(c);
 }
 
 static unsigned int PNMInteger(Image *image,const unsigned int base)
-{
+{ 
   int
     c;
-
+  
   unsigned int
     value;
-
+  
   /*
     Skip any leading whitespace.
   */
   do
-  {
+  { 
     c=ReadBlobByte(image);
     if (c == EOF)
       return(0);
     if (c == (int) '#')
-      PNMComment(image);
-  } while (isdigit(c) == MagickFalse);
+      c=PNMComment(image); 
+  } while ((c == ' ') || (c == '\t') || (c == '\n') || (c == '\r'));
   if (base == 2)
     return((unsigned int) (c-(int) '0'));
   /*
     Evaluate number.
   */
   value=0;
-  do
-  {
-    if (value > (unsigned int) (INT_MAX/10))
-      break;
-    value*=10;
-    if (value > (INT_MAX-c))
-      break;
-    value+=c-(int) '0';
+  while (isdigit(c) != 0)
+  { 
+    if (value <= (unsigned int) (INT_MAX/10))
+      { 
+        value*=10;
+        if (value <= (unsigned int) (INT_MAX-(c-(int) '0')))
+          value+=c-(int) '0';
+      }
     c=ReadBlobByte(image);
     if (c == EOF)
-      return(value);
-  } while (isdigit(c) != MagickFalse);
+      return(0);
+  }
+  if (c == (int) '#')
+    c=PNMComment(image);
   return(value);
 }
 
@@ -345,7 +348,7 @@ static Image *ReadPNMImage(const ImageIn
               /*
                 Comment.
               */
-              PNMComment(image);
+              (void) PNMComment(image);
               c=ReadBlobByte(image);
               while (isspace((int) ((unsigned char) c)) != 0)
                 c=ReadBlobByte(image);

Places

File ImageMagick-CVE-2017-14042.patch of Package ImageMagick.9182

Places