File ImageMagick-6.2.3-CVE-2007-4986.patch of Package ImageMagick
diff -r 0b40602aff9a coders/dcm.c
--- a/coders/dcm.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/dcm.c Fri Sep 28 04:54:16 2007 -0800
@@ -3041,8 +3041,7 @@ static Image *ReadDCMImage(const ImageIn
break;
colors=(unsigned long) (length/bytes_per_pixel);
datum=(long) colors;
- graymap=(unsigned short *)
- AcquireMagickMemory((size_t) colors*sizeof(*graymap));
+ graymap=(unsigned short *) AcquireQuantumMemory((size_t) colors,sizeof(*graymap));
if (graymap == (unsigned short *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) colors; i++)
@@ -3202,8 +3201,7 @@ static Image *ReadDCMImage(const ImageIn
/*
Compute pixel scaling table.
*/
- scale=(Quantum *)
- AcquireMagickMemory((size_t) (max_value+1)*sizeof(*scale));
+ scale=(Quantum *) AcquireQuantumMemory(length,sizeof(*scale));
if (scale == (Quantum *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i <= (long) max_value; i++)
diff -r 0b40602aff9a coders/dib.c
--- a/coders/dib.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/dib.c Fri Sep 28 04:54:16 2007 -0800
@@ -607,8 +608,9 @@ static Image *ReadDIBImage(const ImageIn
dib_info.bits_per_pixel<<=1;
bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32);
length=bytes_per_line*image->rows;
- pixels=(unsigned char *) AcquireMagickMemory((size_t)
- Max(bytes_per_line,image->columns+256)*image->rows*sizeof(*pixels));
+#define MagickMax(x,y) (((x) > (y)) ? (x) : (y))
+ pixels=(unsigned char *) AcquireQuantumMemory((size_t) image->rows,
+ MagickMax(bytes_per_line,image->columns+256)*sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
if ((dib_info.compression == 0) || (dib_info.compression == 3))
@@ -1059,7 +1060,8 @@ static MagickBooleanType WriteDIBImage(c
/*
Convert MIFF to DIB raster pixels.
*/
- pixels=(unsigned char *) AcquireMagickMemory(dib_info.image_size);
+ pixels=(unsigned char *) AcquireQuantumMemory(dib_info.image_size,
+ sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(pixels,0,dib_info.image_size);
@@ -1190,7 +1192,8 @@ static MagickBooleanType WriteDIBImage(c
Convert run-length encoded raster pixels.
*/
length=2*(bytes_per_line+2)*(image->rows+2)+2;
- dib_data=(unsigned char *) AcquireMagickMemory(length);
+ dib_data=(unsigned char *) AcquireQuantumMemory(length,
+ sizeof(*dib_data));
if (pixels == (unsigned char *) NULL)
{
pixels=(unsigned char *) RelinquishMagickMemory(pixels);
diff -r 0b40602aff9a coders/xbm.c
--- a/coders/xbm.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/xbm.c Fri Sep 28 04:54:16 2007 -0800
@@ -185,6 +185,8 @@ static Image *ReadXBMImage(const ImageIn
short int
hex_digits[256];
+
+ size_t length;
unsigned char
*data;
@@ -261,15 +263,6 @@ static Image *ReadXBMImage(const ImageIn
Initialize image structure.
*/
if (AllocateImageColormap(image,image->colors) == MagickFalse)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- padding=0;
- if (((image->columns % 16) != 0) &&
- ((image->columns % 16) < 9) && (version == 10))
- padding=1;
- bytes_per_line=(image->columns+7)/8+padding;
- data=(unsigned char *)
- AcquireMagickMemory((size_t) bytes_per_line*image->rows);
- if (data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
/*
Initialize colormap.
@@ -319,6 +312,16 @@ static Image *ReadXBMImage(const ImageIn
/*
Read hex image data.
*/
+ padding=0;
+ if (((image->columns % 16) != 0) &&
+ ((image->columns % 16) < 9) && (version == 10))
+ padding=1;
+ bytes_per_line=(image->columns+7)/8+padding;
+ length=(size_t) image->rows;
+ data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
+ sizeof(*data));
+ if (data == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
p=data;
if (version == 10)
for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
diff -r 0b40602aff9a coders/xcf.c
--- a/coders/xcf.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/xcf.c Fri Sep 28 04:54:16 2007 -0800
@@ -305,7 +305,8 @@ static int load_tile (Image* image, Imag
XCFPixelPacket *xcfdata, *xcfodata;
unsigned char *graydata;
- xcfdata = xcfodata = (XCFPixelPacket *) AcquireMagickMemory(data_length);
+ xcfdata = xcfodata = (XCFPixelPacket *) AcquireQuantumMemory(data_length,
+ sizeof(*xcfdata));
graydata = (unsigned char *)xcfdata; /* used by gray and indexed */
nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
@@ -352,8 +353,8 @@ static int load_tile_rle (Image* image,
bpp = (int) inDocInfo->bpp;
- xcfdata = xcfodata = (unsigned char *)
- AcquireMagickMemory((size_t) data_length);
+ xcfdata = xcfodata = (unsigned char *) AcquireQuantumMemory((size_t)
+ data_length,sizeof(*xcfdata));
nmemb_read_successfully = ReadBlob(image, (size_t) data_length, xcfdata);
@@ -1154,8 +1155,9 @@ static Image *ReadXCFImage(const ImageIn
/* allocate our array of layer info blocks */
- layer_info=(XCFLayerInfo *)
- AcquireMagickMemory(number_layers*sizeof(XCFLayerInfo));
+ size_t length=(size_t) number_layers;
+ layer_info=(XCFLayerInfo *) AcquireQuantumMemory(length,
+ sizeof(*layer_info));
if (layer_info == (XCFLayerInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(layer_info,0,number_layers*sizeof(XCFLayerInfo));
diff -r 0b40602aff9a coders/xwd.c
--- a/coders/xwd.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/xwd.c Fri Sep 28 04:54:16 2007 -0800
@@ -143,6 +143,9 @@ static MagickBooleanType IsXWD(const uns
*/
static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
+#define CheckOverflowException(length,width,height) \
+ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width)))
+
char
*comment;
@@ -325,7 +327,7 @@ static Image *ReadXWDImage(const ImageIn
length=(size_t) ximage->bytes_per_line*ximage->height;
else
length=(size_t) ximage->bytes_per_line*ximage->height*ximage->depth;
- ximage->data=(char *) AcquireMagickMemory(length);
+ ximage->data=(char *) AcquireQuantumMemory(length,sizeof(*ximage->data));
if (ximage->data == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) ximage->data);
@@ -341,6 +343,11 @@ static Image *ReadXWDImage(const ImageIn
image->storage_class=DirectClass;
else
image->storage_class=PseudoClass;
+ if (SetImageExtent(image,0,0) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+ return(DestroyImageList(image));
+ }
image->colors=header.ncolors;
if (image_info->ping == MagickFalse)
switch (image->storage_class)
@@ -710,8 +717,8 @@ static MagickBooleanType WriteXWDImage(c
/*
Dump colormap to file.
*/
- colors=(XColor *)
- AcquireMagickMemory((size_t) image->colors*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory((size_t) image->colors,
+ sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) image->colors; i++)
@@ -747,7 +754,7 @@ static MagickBooleanType WriteXWDImage(c
length=3*bytes_per_line;
if (image->storage_class == PseudoClass)
length=bytes_per_line;
- pixels=(unsigned char *) AcquireMagickMemory(length);
+ pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
/*
diff -urp ImageMagick-6.2.8.orig/coders/dib.c ImageMagick-6.2.8/coders/dib.c
--- ImageMagick-6.2.8.orig/coders/dib.c 2007-12-06 20:36:05.000000000 +0000
+++ ImageMagick-6.2.8/coders/dib.c 2007-12-06 20:37:20.000000000 +0000
@@ -1272,8 +1272,8 @@ static MagickBooleanType WriteDIBImage(c
/*
Dump colormap to file.
*/
- dib_colormap=(unsigned char *) AcquireMagickMemory((size_t)
- (4*(1 << dib_info.bits_per_pixel)));
+ dib_colormap=(unsigned char *) AcquireQuantumMemory((size_t)
+ (1UL << dib_info.bits_per_pixel),4*sizeof(dib_colormap));
if (dib_colormap == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
q=dib_colormap;
diff -urp ImageMagick-6.2.8.orig/coders/xwd.c ImageMagick-6.2.8/coders/xwd.c
--- ImageMagick-6.2.8.orig/coders/xwd.c 2007-12-06 20:36:05.000000000 +0000
+++ ImageMagick-6.2.8/coders/xwd.c 2007-12-06 20:39:01.000000000 +0000
@@ -241,7 +241,7 @@ static Image *ReadXWDImage(const ImageIn
comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
if (length > ((~0UL)/sizeof(*comment)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
+ comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -287,7 +287,7 @@ static Image *ReadXWDImage(const ImageIn
length=(size_t) header.ncolors;
if (length > ((~0UL)/sizeof(*colors)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) header.ncolors; i++)
