File GraphicsMagick-CVE-2017-16669.patch of Package GraphicsMagick.7782
Index: GraphicsMagick-1.3.25/coders/wpg.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/wpg.c 2017-11-23 13:09:02.632624453 +0100
+++ GraphicsMagick-1.3.25/coders/wpg.c 2017-11-23 13:14:39.814341071 +0100
@@ -280,6 +280,9 @@ static MagickPassFail InsertRow(unsigned
case 2: /* Convert PseudoColor scanline. */
{
indexes=AccessMutableIndexes(image);
+ if ((image->storage_class != PseudoClass) ||
+ (indexes == (IndexPacket *) NULL))
+ return MagickFail;
x = 0;
while(x < (long)image->columns-3)
{
@@ -337,14 +340,17 @@ static MagickPassFail InsertRow(unsigned
if(RetVal==MagickFail)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"ImportImagePixelArea failed for row: %ld, bpp: %d", y, bpp);
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),"ImportImagePixelArea failed for row: %ld, bpp: %d", y, bpp);
+ return MagickFail;
+ }
- if (!SyncImagePixels(image))
+ if(!SyncImagePixels(image))
{
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"SyncImagePixels failed for row: %ld, bpp: %d", y, bpp);
- RetVal = MagickFail;
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),"SyncImagePixels failed for row: %ld, bpp: %d", y, bpp);
+ return MagickFail;
}
-
+
return RetVal;
}
@@ -356,19 +362,22 @@ return RetVal;
x++; \
if((long) x>=ldblk) \
{ \
- (void)InsertRow(BImgBuff,(long) y,image,bpp); \
+ if(InsertRow(BImgBuff,(long) y,image,bpp)==MagickFail) RetVal=-6; \
x=0; \
y++; \
} \
}
-/* WPG1 raster reader. */
+/* WPG1 raster reader.
+ * @return 0 - OK; -2 - alocation failure; -3 unaligned column; -4 - image row overflowl
+ -5 - blob read error; -6 - row insert problem */
static int UnpackWPGRaster(Image *image,int bpp)
{
int
x,
y,
i;
+ int RetVal = 0;
unsigned char
bbuf,
@@ -385,15 +394,15 @@ static int UnpackWPGRaster(Image *image,
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
"Raster allocation size: %ld byte%s",
ldblk, (ldblk > 1 ? "s" : ""));
- BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) 8*ldblk);
+ BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) ldblk);
if(BImgBuff==NULL) return(-2);
(void) memset(BImgBuff,0,(size_t) ldblk);
while(y<(long) image->rows)
{
i = ReadBlobByte(image);
- if(i==EOF)
- {
+ if(i==EOF)
+ {
MagickFreeMemory(BImgBuff);
return(-5);
}
@@ -438,13 +447,18 @@ static int UnpackWPGRaster(Image *image,
MagickFreeMemory(BImgBuff);
return(-4);
}
- (void) InsertRow(BImgBuff,y-1,image,bpp);
+ if(InsertRow(BImgBuff,y-1,image,bpp)==MagickFail)
+ {
+ MagickFreeMemory(BImgBuff);
+ return(-6);
+ }
+
}
}
}
}
MagickFreeMemory(BImgBuff);
- return(0);
+ return(RetVal);
}
@@ -458,7 +472,7 @@ static int UnpackWPGRaster(Image *image,
x++; \
if((long) x >= ldblk) \
{ \
- (void)InsertRow(BImgBuff,(long) y,image,bpp); \
+ if(InsertRow(BImgBuff,(long) y,image,bpp)==MagickFail) RetVal=-6; \
x=0; \
y++; \
XorMe = 0; \
@@ -501,6 +515,7 @@ static int UnpackWPG2Raster(Image *image
int XorMe = 0;
int c;
+ int RetVal = 0;
x=0;
y=0;
@@ -587,15 +602,18 @@ static int UnpackWPG2Raster(Image *image
{
/* duplicate the previous row RunCount x */
for(i=0;i<=RunCount;i++)
- {
- (void) InsertRow(UpImgBuff,(long) (image->rows >= y ? y : image->rows-1),
- image,bpp);
+ {
+ if(InsertRow(UpImgBuff,(long)((image->rows>y) ? y : image->rows-1),image,bpp) == MagickFail)
+ {
+ FreeUnpackWPG2RasterAllocs(BImgBuff,UpImgBuff);
+ return(-4);
+ }
y++;
- }
+ }
}
break;
case 0xFF:
- if ((c = ReadBlobByte(image)) == EOF) /* WHT */
+ if ((c = ReadBlobByte(image)) == EOF) /* WHT */
{
FreeUnpackWPG2RasterAllocs(BImgBuff,UpImgBuff);
return(-4);
@@ -632,7 +650,7 @@ static int UnpackWPG2Raster(Image *image
}
}
FreeUnpackWPG2RasterAllocs(BImgBuff,UpImgBuff);
- return(0);
+ return(RetVal);
}
@@ -993,7 +1011,7 @@ static Image *ReadWPGImage(const ImageIn
if(i==EOF)
break;
Rd_WP_DWORD(image,&Rec.RecordLength);
- if (Rec.RecordLength > GetBlobSize(image))
+ if ((magick_off_t) Rec.RecordLength > GetBlobSize(image))
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
if(EOFBlob(image))
break;
@@ -1234,10 +1249,18 @@ static Image *ReadWPGImage(const ImageIn
WPG_Palette.StartIndex=ReadBlobLSBShort(image);
WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
- /* Sanity check for amount of palette entries. */
- if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3)
- ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
-
+ /* Sanity check for amount of palette entries. */
+ if (WPG_Palette.NumOfEntries == 0)
+ ThrowReaderException(CorruptImageError,UnrecognizedNumberOfColors,image);
+
+ if (WPG_Palette.NumOfEntries > MaxMap+1)
+ ThrowReaderException(CorruptImageError,ColormapExceedsColorsLimit,image);
+
+ if ( (WPG_Palette.StartIndex > WPG_Palette.NumOfEntries) ||
+ (((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) >
+ ((Rec2.RecordLength-2-2) / 3))) )
+ ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+
image->colors=WPG_Palette.NumOfEntries;
if (!AllocateImageColormap(image,image->colors))
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
@@ -1277,9 +1300,9 @@ static Image *ReadWPGImage(const ImageIn
continue; /*Ignore raster with unknown depth*/
}
image->columns=Bitmap2Header1.Width;
- image->rows=Bitmap2Header1.Heigth;
+ image->rows=Bitmap2Header1.Heigth;
- if ((image->colors == 0) && (bpp <= 16))
+ if ((image->colors == 0) && (bpp != 24))
{
image->colors=1 << bpp;
if (!AllocateImageColormap(image,image->colors))
@@ -1300,18 +1323,21 @@ static Image *ReadWPGImage(const ImageIn
case 0: /*Uncompressed raster*/
{
ldblk=(long) ((bpp*image->columns+7)/8);
- BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) ldblk+1);
+ BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) ldblk);
if (BImgBuff == (unsigned char *) NULL)
goto NoMemory;
for(i=0; i< (long) image->rows; i++)
{
(void) ReadBlob(image,ldblk,(char *) BImgBuff);
- (void) InsertRow(BImgBuff,i,image,bpp);
+ if(InsertRow(BImgBuff,i,image,bpp) == MagickFail)
+ {
+ if(BImgBuff) MagickFreeMemory(BImgBuff);
+ goto DecompressionFailed;
+ }
}
- if(BImgBuff)
- MagickFreeMemory(BImgBuff);
+ if(BImgBuff) MagickFreeMemory(BImgBuff);
break;
}
case 1: /*RLE for WPG2 */
