Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:netmax:distribution:CentOS_5
ImageMagick
ImageMagick-6.2.8-CVE-2007-1797.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-6.2.8-CVE-2007-1797.patch of Package ImageMagick
Fix for CVE-2007-1797 (possible heap overflows in ImageMagick DCM and XWD coders) backported from SVN. -- lkundrak@redhat.com Applies against: FC6 (6.2.8.0-3.fc6.1) FC5 (6.2.5.4-4.2.1.fc5.7) RHEL5 (6.2.8.0-3.el5.4) RHEL4 (6.0.7.1-17) --- coders/dcm.c.orig 2007-04-03 18:27:57.000000000 +0200 +++ coders/dcm.c 2007-04-03 18:31:16.000000000 +0200 @@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn { data=(unsigned char *) AcquireMagickMemory((size_t) quantum*(length+1)); + if (length > ((~0UL)/quantum)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if (data == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed"); --- coders/xwd.c.orig 2007-04-03 19:21:18.000000000 +0200 +++ coders/xwd.c 2007-04-03 19:24:36.000000000 +0200 @@ -236,6 +236,9 @@ static Image *ReadXWDImage(const ImageIn ThrowReaderException(CorruptImageError,"CorruptImage"); length=(size_t) header.header_size-sz_XWDheader; comment=(char *) AcquireMagickMemory(length+MaxTextExtent); + if (length > ((~0UL)/sizeof(*comment))) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment)); if (comment == (char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); count=ReadBlob(image,length,(unsigned char *) comment); @@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn XWDColor color; - colors=(XColor *) - AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors)); + length=(size_t) header.ncolors; + if (length > ((~0UL)/sizeof(*colors))) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors)); if (colors == (XColor *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); for (i=0; i < (long) header.ncolors; i++)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor