File ImageMagick-6.2.5-CVE-2007-4986.patch of Package ImageMagick
--- ImageMagick-6.2.5/coders/dcm.c
+++ ImageMagick-6.2.5/coders/dcm.c
@@ -3042,8 +3042,7 @@
break;
colors=(unsigned long) (length/bytes_per_pixel);
datum=(long) colors;
- graymap=(unsigned short *)
- AcquireMagickMemory((size_t) colors*sizeof(*graymap));
+ graymap=(unsigned short *) AcquireQuantumMemory((size_t) colors,sizeof(*graymap));
if (graymap == (unsigned short *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) colors; i++)
@@ -3211,8 +3210,7 @@
/*
Compute pixel scaling table.
*/
- scale=(Quantum *)
- AcquireMagickMemory((size_t) (max_value+1)*sizeof(*scale));
+ scale=(Quantum *) AcquireQuantumMemory(length,sizeof(*scale));
if (scale == (Quantum *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i <= (long) max_value; i++)
--- ImageMagick-6.2.5/coders/dib.c
+++ ImageMagick-6.2.5/coders/dib.c
@@ -572,7 +572,9 @@
*/
if (AllocateImageColormap(image,image->colors) == MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- dib_colormap=(unsigned char *) AcquireMagickMemory(4*image->colors);
+ length=(size_t) image->colors;
+ dib_colormap=(unsigned char *) AcquireQuantumMemory(length,
+ 4*sizeof(*dib_colormap));
if (dib_colormap == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
packet_size=4;
@@ -597,8 +599,8 @@
dib_info.bits_per_pixel<<=1;
bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32);
length=bytes_per_line*image->rows;
- pixels=(unsigned char *) AcquireMagickMemory((size_t)
- Max(bytes_per_line,image->columns+256)*image->rows*sizeof(*pixels));
+ pixels=(unsigned char *) AcquireQuantumMemory((size_t) image->rows,
+ Max(bytes_per_line,image->columns+256)*sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
if ((dib_info.compression == 0) || (dib_info.compression == 3))
@@ -1049,7 +1051,8 @@
/*
Convert MIFF to DIB raster pixels.
*/
- pixels=(unsigned char *) AcquireMagickMemory(dib_info.image_size);
+ pixels=(unsigned char *) AcquireQuantumMemory(dib_info.image_size,
+ sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(pixels,0,dib_info.image_size);
@@ -1180,7 +1183,8 @@
Convert run-length encoded raster pixels.
*/
length=2*(bytes_per_line+2)*(image->rows+2)+2;
- dib_data=(unsigned char *) AcquireMagickMemory(length);
+ dib_data=(unsigned char *) AcquireQuantumMemory(length,
+ sizeof(*dib_data));
if (pixels == (unsigned char *) NULL)
{
pixels=(unsigned char *) RelinquishMagickMemory(pixels);
@@ -1213,8 +1217,8 @@
/*
Dump colormap to file.
*/
- dib_colormap=(unsigned char *)
- AcquireMagickMemory((size_t) (4*(1 << dib_info.bits_per_pixel)));
+ dib_colormap=(unsigned char *) AcquireQuantumMemory((size_t)
+ (1UL << dib_info.bits_per_pixel),4*sizeof(dib_colormap));
if (dib_colormap == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
q=dib_colormap;
--- ImageMagick-6.2.5/coders/xbm.c
+++ ImageMagick-6.2.5/coders/xbm.c
@@ -188,6 +188,8 @@
short int
hex_digits[256];
+ size_t length;
+
unsigned char
*data;
@@ -264,15 +266,6 @@
*/
if (AllocateImageColormap(image,image->colors) == MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- padding=0;
- if (((image->columns % 16) != 0) &&
- ((image->columns % 16) < 9) && (version == 10))
- padding=1;
- bytes_per_line=(image->columns+7)/8+padding;
- data=(unsigned char *)
- AcquireMagickMemory((size_t) bytes_per_line*image->rows);
- if (data == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
/*
Initialize colormap.
*/
@@ -321,6 +314,16 @@
/*
Read hex image data.
*/
+ padding=0;
+ if (((image->columns % 16) != 0) &&
+ ((image->columns % 16) < 9) && (version == 10))
+ padding=1;
+ bytes_per_line=(image->columns+7)/8+padding;
+ length=(size_t) image->rows;
+ data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
+ sizeof(*data));
+ if (data == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
p=data;
if (version == 10)
for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
--- ImageMagick-6.2.5/coders/xcf.c
+++ ImageMagick-6.2.5/coders/xcf.c
@@ -306,7 +306,8 @@
XCFPixelPacket *xcfdata, *xcfodata;
unsigned char *graydata;
- xcfdata = xcfodata = (XCFPixelPacket *) AcquireMagickMemory(data_length);
+ xcfdata = xcfodata = (XCFPixelPacket *) AcquireQuantumMemory(data_length,
+ sizeof(*xcfdata));
graydata = (unsigned char *)xcfdata; /* used by gray and indexed */
nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
@@ -353,8 +354,8 @@
bpp = (int) inDocInfo->bpp;
- xcfdata = xcfodata = (unsigned char *)
- AcquireMagickMemory((size_t) data_length);
+ xcfdata = xcfodata = (unsigned char *) AcquireQuantumMemory((size_t)
+ data_length,sizeof(*xcfdata));
nmemb_read_successfully = ReadBlob(image, (size_t) data_length, xcfdata);
@@ -1132,6 +1133,7 @@
if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) {
; /* do nothing, we were just pinging! */
} else {
+ size_t length;
XCFLayerInfo* layer_info;
int number_layers = 0,
current_layer = 0,
@@ -1155,8 +1157,9 @@
/* allocate our array of layer info blocks */
- layer_info=(XCFLayerInfo *)
- AcquireMagickMemory(number_layers*sizeof(XCFLayerInfo));
+ length=(size_t) number_layers;
+ layer_info=(XCFLayerInfo *) AcquireQuantumMemory(length,
+ sizeof(*layer_info));
if (layer_info == (XCFLayerInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(layer_info,0,number_layers*sizeof(XCFLayerInfo));
--- ImageMagick-6.2.5/coders/xwd.c
+++ ImageMagick-6.2.5/coders/xwd.c
@@ -144,6 +144,9 @@
*/
static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
+#define CheckOverflowException(length,width,height) \
+ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width)))
+
char
*comment;
@@ -239,7 +242,7 @@
if (length > ((~0UL)/sizeof(*comment)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+ comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -290,11 +293,11 @@
color;
/* new check for CVE-2007-1797 */
+ length = (size_t) header.ncolors;
if (length > ((~0UL)/sizeof(*colors)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- colors=(XColor *)
- AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) header.ncolors; i++)
@@ -338,7 +341,7 @@
if (overflow) {
ximage->data = (char *) NULL;
} else {
- ximage->data=(char *) AcquireMagickMemory(length);
+ ximage->data=(char *) AcquireQuantumMemory(length,sizeof(*ximage->data));
}
#undef OVERFLOW
}
@@ -357,6 +360,11 @@
image->storage_class=DirectClass;
else
image->storage_class=PseudoClass;
+ if (SetImageExtent(image,0,0) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+ return(DestroyImageList(image));
+ }
image->colors=header.ncolors;
if (image_info->ping == MagickFalse)
switch (image->storage_class)
@@ -729,8 +737,8 @@
/*
Dump colormap to file.
*/
- colors=(XColor *)
- AcquireMagickMemory((size_t) image->colors*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory((size_t) image->colors,
+ sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) image->colors; i++)
@@ -766,7 +774,7 @@
length=3*bytes_per_line;
if (image->storage_class == PseudoClass)
length=bytes_per_line;
- pixels=(unsigned char *) AcquireMagickMemory(length);
+ pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(pixels,0,length);
