File ImageMagick-CVE-2016-7514.patch of Package ImageMagick.9293
From 4b1fba0af7c54b9da3681b57087e370839e4ac7f Mon Sep 17 00:00:00 2001
From: dirk <dirk@git.imagemagick.org>
Date: Fri, 15 Jan 2016 01:13:30 +0100
Subject: [PATCH] Fixed overflow.
---
coders/psd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: ImageMagick-6.8.8-1/coders/psd.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/psd.c 2016-09-30 13:52:03.833761216 +0200
+++ ImageMagick-6.8.8-1/coders/psd.c 2016-09-30 13:56:38.342270544 +0200
@@ -630,6 +630,75 @@ static CompositeOperator PSDBlendModeToC
return(OverCompositeOp);
}
+static inline void SetPSDPixel(Image *image,const size_t channels,
+ const ssize_t type,const size_t packet_size,const Quantum pixel,
+ PixelPacket *q,IndexPacket *indexes,ssize_t x,ExceptionInfo *exception)
+{
+ if (image->storage_class == PseudoClass)
+ {
+ if (packet_size == 1)
+ SetPixelIndex(indexes+x,ScaleQuantumToChar(pixel));
+ else
+ SetPixelIndex(indexes+x,ScaleQuantumToShort(pixel));
+ SetPixelRGBO(q,image->colormap+(ssize_t)
+ ConstrainColormapIndex(image,GetPixelIndex(indexes+x)));
+ return;
+ }
+ switch (type)
+ {
+ case -1:
+ {
+ SetPixelAlpha(q,pixel);
+ break;
+ }
+ case -2:
+ case 0:
+ {
+ SetPixelRed(q,pixel);
+ if (channels == 1 || type == -2)
+ {
+ SetPixelGreen(q,GetPixelRed(q));
+ SetPixelBlue(q,GetPixelRed(q));
+ }
+ break;
+ }
+ case 1:
+ {
+ if (image->storage_class == PseudoClass)
+ SetPixelAlpha(q,pixel);
+ else
+ SetPixelGreen(q,pixel);
+ break;
+ }
+ case 2:
+ {
+ if (image->storage_class == PseudoClass)
+ SetPixelAlpha(q,pixel);
+ else
+ SetPixelBlue(q,pixel);
+ break;
+ }
+ case 3:
+ {
+ if (image->colorspace == CMYKColorspace)
+ SetPixelIndex(indexes+x,pixel);
+ else
+ if (image->matte != MagickFalse)
+ SetPixelAlpha(q,pixel);
+ break;
+ }
+ case 4:
+ {
+ if ((IssRGBCompatibleColorspace(image->colorspace) != MagickFalse) &&
+ (channels > 3))
+ break;
+ if (image->matte != MagickFalse)
+ SetPixelAlpha(q,pixel);
+ break;
+ }
+ }
+}
+
static MagickStatusType ReadPSDChannelPixels(Image *image,
const size_t channels,const size_t row,const ssize_t type,
const unsigned char *pixels,ExceptionInfo *exception)
@@ -670,89 +739,28 @@ static MagickStatusType ReadPSDChannelPi
p=PushShortPixel(MSBEndian,p,&nibble);
pixel=ScaleShortToQuantum(nibble);
}
- switch (type)
- {
- case -1:
- {
- SetPixelAlpha(q,pixel);
- break;
- }
- case 0:
- {
- SetPixelRed(q,pixel);
- if (channels == 1)
- {
- SetPixelGreen(q,GetPixelRed(q));
- SetPixelBlue(q,GetPixelRed(q));
- }
- if (image->storage_class == PseudoClass)
- {
- if (packet_size == 1)
- SetPixelIndex(indexes+x,ScaleQuantumToChar(pixel));
- else
- SetPixelIndex(indexes+x,ScaleQuantumToShort(pixel));
- SetPixelRGBO(q,image->colormap+(ssize_t)
- ConstrainColormapIndex(image,GetPixelIndex(indexes+x)));
- if (image->depth == 1)
- {
- ssize_t
- bit,
- number_bits;
-
- number_bits=image->columns-x;
- if (number_bits > 8)
- number_bits=8;
- for (bit=0; bit < number_bits; bit++)
- {
- SetPixelIndex(indexes+x,(((unsigned char) pixel) &
- (0x01 << (7-bit))) != 0 ? 0 : 255);
- SetPixelRGBO(q,image->colormap+(ssize_t)
- GetPixelIndex(indexes+x));
- q++;
- x++;
- }
- }
- }
- break;
- }
- case 1:
+ if (image->depth > 1)
{
- if (image->storage_class == PseudoClass)
- SetPixelAlpha(q,pixel);
- else
- SetPixelGreen(q,pixel);
- break;
+ SetPSDPixel(image,channels,type,packet_size,pixel,q++,indexes,x,exception);
}
- case 2:
- {
- if (image->storage_class == PseudoClass)
- SetPixelAlpha(q,pixel);
- else
- SetPixelBlue(q,pixel);
- break;
- }
- case 3:
- {
- if (image->colorspace == CMYKColorspace)
- SetPixelIndex(indexes+x,pixel);
- else
- if (image->matte != MagickFalse)
- SetPixelAlpha(q,pixel);
- break;
- }
- case 4:
+ else
{
- if ((IssRGBCompatibleColorspace(image->colorspace) != MagickFalse) &&
- (channels > 3))
- break;
- if (image->matte != MagickFalse)
- SetPixelAlpha(q,pixel);
- break;
+ ssize_t
+ bit,
+ number_bits;
+
+ number_bits=image->columns-x;
+ if (number_bits > 8)
+ number_bits=8;
+ for (bit=0; bit < number_bits; bit++)
+ {
+ SetPSDPixel(image,channels,type,packet_size,pixel,q++,indexes,x++,
+ exception);
+ }
+ if (x != image->columns)
+ x--;
+ continue;
}
- default:
- break;
- }
- q++;
}
return(SyncAuthenticPixels(image,exception));
}
@@ -1725,6 +1733,8 @@ static Image *ReadPSDImage(const ImageIn
image->matte=MagickFalse;
}
}
+ if ((image->depth == 1) && (image->storage_class != PseudoClass))
+ ThrowReaderException(CorruptImageError, "ImproperImageHeader");
length=ReadBlobMSBLong(image);
if (length != 0)
{
@@ -2153,8 +2163,8 @@ static MagickBooleanType WriteImageChann
compact_pixels=(unsigned char *) NULL;
if (next_image->compression == RLECompression)
{
- compact_pixels=(unsigned char *) AcquireQuantumMemory(2*channels*
- next_image->columns,packet_size*sizeof(*compact_pixels));
+ compact_pixels=(unsigned char *) AcquireQuantumMemory((2*channels*
+ next_image->columns)+1,packet_size*sizeof(*compact_pixels));
if (compact_pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
}