Overview

File ImageMagick-CVE-2020-25675.patch of Package ImageMagick.28258

Index: ImageMagick-7.0.7-34/MagickCore/transform.c
===================================================================
--- ImageMagick-7.0.7-34.orig/MagickCore/transform.c	2018-05-20 17:55:43.000000000 +0200
+++ ImageMagick-7.0.7-34/MagickCore/transform.c	2020-12-09 16:59:43.350314051 +0100
@@ -762,14 +762,23 @@ MagickExport Image *CropImage(const Imag
 %
 */
 
-static inline double MagickRound(double x)
+static inline double ConstrainPixelOffset(double x)
+{
+  if (x < (double) -(SSIZE_MAX-512))
+    return((double) -(SSIZE_MAX-512));
+  if (x > (double) (SSIZE_MAX-512))
+    return((double) (SSIZE_MAX-512));
+  return(x);
+}
+
+static inline ssize_t PixelRoundOffset(double x)
 {
   /*
     Round the fraction to nearest integer.
   */
   if ((x-floor(x)) < (ceil(x)-x))
-    return(floor(x));
-  return(ceil(x));
+    return((ssize_t) floor(ConstrainPixelOffset(x)));
+  return((ssize_t) ceil(ConstrainPixelOffset(x)));
 }
 
 MagickExport Image *CropImageToTiles(const Image *image,
@@ -834,18 +843,18 @@ MagickExport Image *CropImageToTiles(con
       {
         if ((flags & AspectValue) == 0)
           {
-            crop.y=(ssize_t) MagickRound((double) (offset.y-
+            crop.y=PixelRoundOffset((double) (offset.y-
               (geometry.y > 0 ? 0 : geometry.y)));
             offset.y+=delta.y;   /* increment now to find width */
-            crop.height=(size_t) MagickRound((double) (offset.y+
+            crop.height=(size_t) PixelRoundOffset((double) (offset.y+
               (geometry.y < 0 ? 0 : geometry.y)));
           }
         else
           {
-            crop.y=(ssize_t) MagickRound((double) (offset.y-
+            crop.y=PixelRoundOffset((double) (offset.y-
               (geometry.y > 0 ? geometry.y : 0)));
             offset.y+=delta.y;  /* increment now to find width */
-            crop.height=(size_t) MagickRound((double)
+            crop.height=(size_t) PixelRoundOffset((double)
               (offset.y+(geometry.y < -1 ? geometry.y : 0)));
           }
         crop.height-=crop.y;
@@ -854,18 +863,18 @@ MagickExport Image *CropImageToTiles(con
         {
           if ((flags & AspectValue) == 0)
             {
-              crop.x=(ssize_t) MagickRound((double) (offset.x-
+              crop.x=PixelRoundOffset((double) (offset.x-
                 (geometry.x > 0 ? 0 : geometry.x)));
               offset.x+=delta.x;  /* increment now to find height */
-              crop.width=(size_t) MagickRound((double) (offset.x+
+              crop.width=(size_t) PixelRoundOffset((double) (offset.x+
                 (geometry.x < 0 ? 0 : geometry.x)));
             }
           else
             {
-              crop.x=(ssize_t) MagickRound((double) (offset.x-
+              crop.x=PixelRoundOffset((double) (offset.x-
                 (geometry.x > 0 ? geometry.x : 0)));
               offset.x+=delta.x;  /* increment now to find height */
-              crop.width=(size_t) MagickRound((double) (offset.x+
+              crop.width=(size_t) PixelRoundOffset((double) (offset.x+
                 (geometry.x < 0 ? geometry.x : 0)));
             }
           crop.width-=crop.x;
openSUSE Build Service is sponsored by
Places