Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
GraphicsMagick.8039
GraphicsMagick-CVE-2017-15930.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File GraphicsMagick-CVE-2017-15930.patch of Package GraphicsMagick.8039
Index: GraphicsMagick-1.3.25/coders/png.c =================================================================== --- GraphicsMagick-1.3.25.orig/coders/png.c 2017-11-06 13:01:24.251142530 +0100 +++ GraphicsMagick-1.3.25/coders/png.c 2017-11-06 13:02:15.284022071 +0100 @@ -2837,7 +2837,7 @@ static Image *ReadOneJNGImage(MngInfo *m reading_idat, status; - unsigned long + size_t length; jng_alpha_compression_method=0; @@ -2901,7 +2901,7 @@ static Image *ReadOneJNGImage(MngInfo *m type[0]='\0'; (void) strcat(type,"errr"); - length=ReadBlobMSBLong(image); + length=(size_t) ReadBlobMSBLong(image); count=(unsigned int) ReadBlob(image,4,type); if (logging) @@ -3012,6 +3012,30 @@ static Image *ReadOneJNGImage(MngInfo *m ThrowReaderException(CorruptImageError,ImproperImageHeader,image); } + /* Rationalize dimensions with blob size if it is available */ + if (BlobIsSeekable(image)) + { + magick_off_t + blob_size; + + blob_size = GetBlobSize(image); + if ((blob_size == 0) || + ((((double) jng_width*jng_height)/blob_size) > 512.0)) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Unreasonable dimensions: " + "geometry = %lux%lu, " + "blob size = %" MAGICK_OFF_F "d", + jng_width, jng_height, blob_size); + + ThrowException(exception,CorruptImageError, + InsufficientImageDataInFile,image->filename); + MagickFreeMemory(chunk); + DestroyJNGInfo(color_image_info,alpha_image_info); + return ((Image *)NULL); + } + } + continue; } @@ -3363,17 +3387,37 @@ static Image *ReadOneJNGImage(MngInfo *m " Copying jng_image pixels to main image."); image->rows=jng_height; image->columns=jng_width; - length=image->columns*sizeof(PixelPacket); + length=MagickArraySize(image->columns,sizeof(PixelPacket)); + if (jng_height == 0 || jng_width == 0 || length == 0) + { + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " jng_width=%lu jng_height=%lu", + (unsigned long)jng_width,(unsigned long)jng_height); + DestroyJNGInfo(color_image_info, &alpha_image_info); + DestroyImage(jng_image); + return ((Image *)NULL); + } for (y=0; y < (long) image->rows; y++) { s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception); q=SetImagePixels(image,0,y,image->columns,1); + if ((s == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL)) + break; (void) memcpy(q,s,length); if (!SyncImagePixels(image)) break; } DestroyImage(jng_image); jng_image = (Image *)NULL; + if ((unsigned long) y != image->rows) + { + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Failed to transfer JPEG scanlines"); + DestroyJNGInfo(&color_image_info, &alpha_image_info); + return ((Image *)NULL); + } if (alpha_image != (Image *)NULL && !image_info->ping) { if (jng_color_type >= 12) @@ -3405,12 +3449,16 @@ static Image *ReadOneJNGImage(MngInfo *m if (image->matte) { q=SetImagePixels(image,0,y,image->columns,1); + if (q == (PixelPacket *) NULL) + break; for (x=(long) image->columns; x > 0; x--,q++,s++) q->opacity=(Quantum) MaxRGB-s->red; } else { q=SetImagePixels(image,0,y,image->columns,1); + if (q == (PixelPacket *) NULL) + break; for (x=(long) image->columns; x > 0; x--,q++,s++) { q->opacity=(Quantum) MaxRGB-s->red;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor