File ImageMagick-6.2.8-CVE-2007-1797.patch of Package ImageMagick

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-6.2.8-CVE-2007-1797.patch of Package ImageMagick

Fix for CVE-2007-1797 (possible heap overflows in ImageMagick
DCM and XWD coders) backported from SVN. -- lkundrak@redhat.com

Applies against:
	FC6 (6.2.8.0-3.fc6.1)
	FC5 (6.2.5.4-4.2.1.fc5.7)
	RHEL5 (6.2.8.0-3.el5.4)
	RHEL4 (6.0.7.1-17)

--- coders/dcm.c.orig	2007-04-03 18:27:57.000000000 +0200
+++ coders/dcm.c	2007-04-03 18:31:16.000000000 +0200
@@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn
             {
               data=(unsigned char *)
                 AcquireMagickMemory((size_t) quantum*(length+1));
+              if (length > ((~0UL)/quantum))
+                ThrowReaderException(CorruptImageError,"ImproperImageHeader");
               if (data == (unsigned char *) NULL)
                 ThrowReaderException(ResourceLimitError,
                   "MemoryAllocationFailed");
--- coders/xwd.c.orig	2007-04-03 19:21:18.000000000 +0200
+++ coders/xwd.c	2007-04-03 19:24:36.000000000 +0200
@@ -236,6 +236,9 @@ static Image *ReadXWDImage(const ImageIn
     ThrowReaderException(CorruptImageError,"CorruptImage");
   length=(size_t) header.header_size-sz_XWDheader;
   comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+  if (length > ((~0UL)/sizeof(*comment)))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
   if (comment == (char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   count=ReadBlob(image,length,(unsigned char *) comment);
@@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn
       XWDColor
         color;
 
-      colors=(XColor *)
-        AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+      length=(size_t) header.ncolors;
+      if (length > ((~0UL)/sizeof(*colors)))
+        ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+      colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
       if (colors == (XColor *) NULL)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
       for (i=0; i < (long) header.ncolors; i++)

Places

File ImageMagick-6.2.8-CVE-2007-1797.patch of Package ImageMagick

Places