File ImageMagick-CVE-2015-8958,CVE-2016-7518.patch of Package ImageMagick.3560
From a09637681647e141a130b8a4e24100ebe81646ab Mon Sep 17 00:00:00 2001
From: cristy <urban-warrior@git.imagemagick.org>
Date: Sat, 10 Jan 2015 14:09:41 +0000
Subject: [PATCH]
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857
---
coders/sun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: ImageMagick-6.8.9-8/coders/sun.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/sun.c 2016-10-04 11:57:59.758548080 +0200
+++ ImageMagick-6.8.9-8/coders/sun.c 2016-10-04 11:58:56.655560810 +0200
@@ -17,7 +17,7 @@
% July 1992 %
% %
% %
-% Copyright 1999-2014 ImageMagick Studio LLC, a non-profit organization %
+% Copyright 1999-2016 ImageMagick Studio LLC, a non-profit organization %
% dedicated to making software imaging solutions freely available. %
% %
% You may not use this file except in compliance with the License. You may %
@@ -47,6 +47,7 @@
#include "magick/color.h"
#include "magick/color-private.h"
#include "magick/colormap.h"
+#include "magick/colormap-private.h"
#include "magick/colorspace.h"
#include "magick/colorspace-private.h"
#include "magick/exception.h"
@@ -56,6 +57,7 @@
#include "magick/list.h"
#include "magick/magick.h"
#include "magick/memory_.h"
+#include "magick/memory-private.h"
#include "magick/monitor.h"
#include "magick/monitor-private.h"
#include "magick/pixel-accessor.h"
@@ -76,6 +78,24 @@ static inline ssize_t MagickMax(const ss
static MagickBooleanType
WriteSUNImage(const ImageInfo *,Image *);
+
+static MagickBooleanType HeapOverflowSanityCheck(const size_t count,
+ const size_t quantum)
+{
+ size_t
+ size;
+
+ size=count*quantum;
+ if ((count == 0) || (quantum != (size/count)))
+ {
+ errno=ENOMEM;
+ return(MagickTrue);
+ }
+ return(MagickFalse);
+}
+
+static MagickBooleanType
+ WriteSUNImage(const ImageInfo *,Image *);
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -145,10 +165,9 @@ static MagickBooleanType IsSUN(const uns
%
*/
static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
- const size_t length,unsigned char *pixels,size_t maxpixels)
+ const size_t length,unsigned char *pixels,size_t extent)
{
register const unsigned char
- *l,
*p;
register unsigned char
@@ -165,8 +184,8 @@ static MagickBooleanType DecodeImage(con
assert(pixels != (unsigned char *) NULL);
p=compressed_pixels;
q=pixels;
- l=q+maxpixels;
- while (((size_t) (p-compressed_pixels) < length) && (q < l))
+ while (((size_t) (p-compressed_pixels) < length) &&
+ ((size_t) (q-pixels) < extent))
{
byte=(*p++);
if (byte != 128U)
@@ -174,19 +193,25 @@ static MagickBooleanType DecodeImage(con
else
{
/*
- Runlength-encoded packet: <count><byte>
+ Runlength-encoded packet: <count><byte>.
*/
- count=(ssize_t) (*p++);
+ if (((size_t) (p-compressed_pixels) >= length))
+ break;
+ count=(*p++);
if (count > 0)
- byte=(*p++);
- while ((count >= 0) && (q < l))
+ {
+ if (((size_t) (p-compressed_pixels) >= length))
+ break;
+ byte=(*p++);
+ }
+ while ((count >= 0) && ((size_t) (q-pixels) < extent))
{
*q++=byte;
count--;
}
}
}
- return(MagickTrue);
+ return(((size_t) (q-pixels) == extent) ? MagickTrue : MagickFalse);
}
/*
@@ -263,8 +288,10 @@ static Image *ReadSUNImage(const ImageIn
*p;
size_t
+ bytes_per_line,
extent,
- length;
+ height,
+ pixels_length;
ssize_t
count,
@@ -277,9 +304,6 @@ static Image *ReadSUNImage(const ImageIn
*sun_data,
*sun_pixels;
- unsigned int
- bytes_per_line;
-
/*
Open image file.
*/
@@ -319,13 +343,14 @@ static Image *ReadSUNImage(const ImageIn
extent=sun_info.height*sun_info.width;
if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- if ((sun_info.depth == 0) || (sun_info.depth > 32))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
(sun_info.type != RT_FORMAT_RGB))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((sun_info.maptype == RMT_NONE) && (sun_info.maplength != 0))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((sun_info.depth != 1) && (sun_info.depth != 8) &&
+ (sun_info.depth != 24) && (sun_info.depth != 32))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((sun_info.maptype != RMT_NONE) && (sun_info.maptype != RMT_EQUAL_RGB) &&
(sun_info.maptype != RMT_RAW))
ThrowReaderException(CoderError,"ColormapTypeNotSupported");
@@ -338,7 +363,6 @@ static Image *ReadSUNImage(const ImageIn
size_t
one;
- image->storage_class=PseudoClass;
image->colors=sun_info.maplength;
one=1;
if (sun_info.maptype == RMT_NONE)
@@ -411,48 +435,77 @@ static Image *ReadSUNImage(const ImageIn
(void) CloseBlob(image);
return(GetFirstImageInList(image));
}
- if ((sun_info.length*sizeof(*sun_data))/sizeof(*sun_data) !=
- sun_info.length || !sun_info.length)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- number_pixels=(MagickSizeType) image->columns*image->rows;
- if ((sun_info.type != RT_ENCODED) && (sun_info.depth >= 8) &&
- ((number_pixels*((sun_info.depth+7)/8)) > sun_info.length))
+ status=SetImageExtent(image,image->columns,image->rows);
+ if (status == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+ return(DestroyImageList(image));
+ }
+ if (sun_info.length == 0)
+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+ number_pixels=(MagickSizeType) (image->columns*image->rows);
+ if ((sun_info.type != RT_ENCODED) &&
+ ((number_pixels*sun_info.depth) > (8UL*sun_info.length)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if (HeapOverflowSanityCheck(sun_info.width,sun_info.depth) != MagickFalse)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
bytes_per_line=sun_info.width*sun_info.depth;
- sun_data=(unsigned char *) AcquireQuantumMemory((size_t) MagickMax(
- sun_info.length,bytes_per_line*sun_info.width),sizeof(*sun_data));
+ sun_data=(unsigned char *) AcquireQuantumMemory(sun_info.length,
+ sizeof(*sun_data));
if (sun_data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=(ssize_t) ReadBlob(image,sun_info.length,sun_data);
if (count != (ssize_t) sun_info.length)
- ThrowReaderException(CorruptImageError,"UnableToReadImageData");
- sun_pixels=sun_data;
- bytes_per_line=0;
- if (sun_info.type == RT_ENCODED)
{
- size_t
- height;
-
- /*
- Read run-length encoded raster pixels.
- */
- height=sun_info.height;
- if ((height == 0) || (sun_info.width == 0) || (sun_info.depth == 0) ||
- ((bytes_per_line/sun_info.depth) != sun_info.width))
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- bytes_per_line+=15;
- bytes_per_line<<=1;
- if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15))
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- bytes_per_line>>=4;
- sun_pixels=(unsigned char *) AcquireQuantumMemory(height,
- bytes_per_line*sizeof(*sun_pixels));
- if (sun_pixels == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- (void) DecodeImage(sun_data,sun_info.length,sun_pixels,bytes_per_line*
- height);
sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+ }
+ height=sun_info.height;
+ if ((height == 0) || (sun_info.width == 0) || (sun_info.depth == 0) ||
+ ((bytes_per_line/sun_info.depth) != sun_info.width))
+ {
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+ }
+ bytes_per_line+=15;
+ bytes_per_line<<=1;
+ if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15))
+ {
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+ }
+ bytes_per_line>>=4;
+ if (HeapOverflowSanityCheck(height,bytes_per_line) != MagickFalse)
+ {
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
}
+ pixels_length=height*(MagickMax(image->columns,bytes_per_line)+1);
+ sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length,
+ sizeof(*sun_pixels));
+ if (sun_pixels == (unsigned char *) NULL)
+ {
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+ ResetMagickMemory(sun_pixels,0,pixels_length*sizeof(*sun_pixels));
+ if (sun_info.type == RT_ENCODED)
+ {
+ status=DecodeImage(sun_data,sun_info.length,sun_pixels,pixels_length);
+ if (status == MagickFalse)
+ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+ }
+ else
+ {
+ if (sun_info.length > pixels_length)
+ {
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ sun_pixels=(unsigned char *) RelinquishMagickMemory(sun_pixels);
+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+ }
+ (void) CopyMagickMemory(sun_pixels,sun_data,sun_info.length);
+ }
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
/*
Convert SUN raster image to pixel packets.
*/
@@ -491,11 +544,6 @@ static Image *ReadSUNImage(const ImageIn
else
if (image->storage_class == PseudoClass)
{
- length=image->rows*(image->columns+image->columns % 2);
- if (((sun_info.type == RT_ENCODED) &&
- (length > (bytes_per_line*image->rows))) ||
- ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (y=0; y < (ssize_t) image->rows; y++)
{
q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
@@ -503,7 +551,10 @@ static Image *ReadSUNImage(const ImageIn
break;
indexes=GetAuthenticIndexQueue(image);
for (x=0; x < (ssize_t) image->columns; x++)
- SetPixelIndex(indexes+x,*p++);
+ {
+ SetPixelIndex(indexes+x,ConstrainColormapIndex(image,*p));
+ p++;
+ }
if ((image->columns % 2) != 0)
p++;
if (SyncAuthenticPixels(image,exception) == MagickFalse)
@@ -525,12 +576,6 @@ static Image *ReadSUNImage(const ImageIn
bytes_per_pixel=3;
if (image->matte != MagickFalse)
bytes_per_pixel++;
- length=image->rows*((bytes_per_line*image->columns)+
- image->columns % 2);
- if (((sun_info.type == RT_ENCODED) &&
- (length > (bytes_per_line*image->rows))) ||
- ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (y=0; y < (ssize_t) image->rows; y++)
{
q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
