File GraphicsMagick-CVE-2017-16669.patch of Package GraphicsMagick.8039

Overview Repositories Revisions Requests Users Attributes Meta

File GraphicsMagick-CVE-2017-16669.patch of Package GraphicsMagick.8039

Index: GraphicsMagick-1.3.25/coders/wpg.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/wpg.c	2017-11-23 13:09:02.632624453 +0100
+++ GraphicsMagick-1.3.25/coders/wpg.c	2017-11-23 13:14:39.814341071 +0100
@@ -280,6 +280,9 @@ static MagickPassFail InsertRow(unsigned
     case 2:  /* Convert PseudoColor scanline. */
       {
         indexes=AccessMutableIndexes(image);
+        if ((image->storage_class != PseudoClass) ||
+            (indexes == (IndexPacket *) NULL))
+          return MagickFail;
         x = 0;
         while(x < (long)image->columns-3)
           {
@@ -337,14 +340,17 @@ static MagickPassFail InsertRow(unsigned
 
 
   if(RetVal==MagickFail)
-    (void) LogMagickEvent(CoderEvent,GetMagickModule(),"ImportImagePixelArea failed for row: %ld, bpp: %d", y, bpp); 
+  {
+    (void) LogMagickEvent(CoderEvent,GetMagickModule(),"ImportImagePixelArea failed for row: %ld, bpp: %d", y, bpp);
+    return MagickFail;
+  }
 
-  if (!SyncImagePixels(image))
+  if(!SyncImagePixels(image))
   {
-    (void) LogMagickEvent(CoderEvent,GetMagickModule(),"SyncImagePixels failed for row: %ld, bpp: %d", y, bpp); 
-    RetVal = MagickFail;
+    (void) LogMagickEvent(CoderEvent,GetMagickModule(),"SyncImagePixels failed for row: %ld, bpp: %d", y, bpp);
+    return MagickFail;
   }
-          
+
 return RetVal;
 }
 
@@ -356,19 +362,22 @@ return RetVal;
   x++; \
   if((long) x>=ldblk) \
   { \
-    (void)InsertRow(BImgBuff,(long) y,image,bpp); \
+    if(InsertRow(BImgBuff,(long) y,image,bpp)==MagickFail) RetVal=-6; \
     x=0; \
     y++; \
     } \
 }
 
-/* WPG1 raster reader. */
+/* WPG1 raster reader.
+ * @return      0 - OK; -2 - alocation failure; -3 unaligned column; -4 - image row overflowl
+                -5 - blob read error; -6 - row insert problem  */
 static int UnpackWPGRaster(Image *image,int bpp)
 {
   int
     x,
     y,
     i;
+  int RetVal = 0;
 
   unsigned char
     bbuf,
@@ -385,15 +394,15 @@ static int UnpackWPGRaster(Image *image,
   (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                         "Raster allocation size: %ld byte%s",
                         ldblk, (ldblk > 1 ? "s" : ""));
-  BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) 8*ldblk);
+  BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) ldblk);
   if(BImgBuff==NULL) return(-2);
   (void) memset(BImgBuff,0,(size_t) ldblk);
 
   while(y<(long) image->rows)
     {
       i = ReadBlobByte(image);
-	  if(i==EOF)
-	    {
+	  if(i==EOF)
+	    {
           MagickFreeMemory(BImgBuff);
           return(-5);
         }
@@ -438,13 +447,18 @@ static int UnpackWPGRaster(Image *image,
                   MagickFreeMemory(BImgBuff);
                   return(-4);
                 }
-              (void) InsertRow(BImgBuff,y-1,image,bpp);
+              if(InsertRow(BImgBuff,y-1,image,bpp)==MagickFail)
+                {
+                  MagickFreeMemory(BImgBuff);
+                  return(-6);
+                }
+
             }
         }
       }
     }
   MagickFreeMemory(BImgBuff);
-  return(0);
+  return(RetVal);
 }
 
 
@@ -458,7 +472,7 @@ static int UnpackWPGRaster(Image *image,
   x++; \
   if((long) x >= ldblk) \
   { \
-    (void)InsertRow(BImgBuff,(long) y,image,bpp); \
+    if(InsertRow(BImgBuff,(long) y,image,bpp)==MagickFail) RetVal=-6; \
     x=0; \
     y++; \
     XorMe = 0; \
@@ -501,6 +515,7 @@ static int UnpackWPG2Raster(Image *image
 
   int XorMe = 0;
   int c;
+  int RetVal = 0;
 
   x=0;
   y=0;
@@ -587,15 +602,18 @@ static int UnpackWPG2Raster(Image *image
           {
             /* duplicate the previous row RunCount x */
             for(i=0;i<=RunCount;i++)
-              {      
-                (void) InsertRow(UpImgBuff,(long) (image->rows >= y ? y : image->rows-1),
-                                 image,bpp);
+              {
+                if(InsertRow(UpImgBuff,(long)((image->rows>y) ? y : image->rows-1),image,bpp) == MagickFail)
+                  {
+                    FreeUnpackWPG2RasterAllocs(BImgBuff,UpImgBuff);
+                    return(-4);
+                  }
                 y++;
-              }    
+              }
           }
           break;
         case 0xFF:
-          if ((c = ReadBlobByte(image)) == EOF)	 /* WHT */
+          if ((c = ReadBlobByte(image)) == EOF)	 /* WHT */
             {
               FreeUnpackWPG2RasterAllocs(BImgBuff,UpImgBuff);
               return(-4);
@@ -632,7 +650,7 @@ static int UnpackWPG2Raster(Image *image
         }
     }
   FreeUnpackWPG2RasterAllocs(BImgBuff,UpImgBuff);
-  return(0);
+  return(RetVal);
 }
 
 
@@ -993,7 +1011,7 @@ static Image *ReadWPGImage(const ImageIn
           if(i==EOF)
             break;
           Rd_WP_DWORD(image,&Rec.RecordLength);
-          if (Rec.RecordLength > GetBlobSize(image))
+          if ((magick_off_t) Rec.RecordLength > GetBlobSize(image))
             ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
           if(EOFBlob(image))
             break;
@@ -1234,10 +1249,18 @@ static Image *ReadWPGImage(const ImageIn
               WPG_Palette.StartIndex=ReadBlobLSBShort(image);
               WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
 
-			/* Sanity check for amount of palette entries. */
-              if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3)
-                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);                 
- 
+              /* Sanity check for amount of palette entries. */
+              if (WPG_Palette.NumOfEntries == 0)
+                ThrowReaderException(CorruptImageError,UnrecognizedNumberOfColors,image);
+
+              if (WPG_Palette.NumOfEntries > MaxMap+1)
+                ThrowReaderException(CorruptImageError,ColormapExceedsColorsLimit,image);
+
+              if ( (WPG_Palette.StartIndex > WPG_Palette.NumOfEntries) ||
+                   (((WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) >
+                     ((Rec2.RecordLength-2-2) / 3))) )
+                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+
               image->colors=WPG_Palette.NumOfEntries;
               if (!AllocateImageColormap(image,image->colors))
                 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
@@ -1277,9 +1300,9 @@ static Image *ReadWPGImage(const ImageIn
                   continue;  /*Ignore raster with unknown depth*/
                 }
               image->columns=Bitmap2Header1.Width;
-              image->rows=Bitmap2Header1.Heigth;  
+              image->rows=Bitmap2Header1.Heigth;
 
-              if ((image->colors == 0) && (bpp <= 16))
+              if ((image->colors == 0) && (bpp != 24))
                 {
                   image->colors=1 << bpp;
                   if (!AllocateImageColormap(image,image->colors))
@@ -1300,18 +1323,21 @@ static Image *ReadWPGImage(const ImageIn
                 case 0:    /*Uncompressed raster*/
                   {
                     ldblk=(long) ((bpp*image->columns+7)/8);
-                    BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) ldblk+1);
+                    BImgBuff=MagickAllocateMemory(unsigned char *,(size_t) ldblk);
                     if (BImgBuff == (unsigned char *) NULL)
                       goto NoMemory;
 
                     for(i=0; i< (long) image->rows; i++)
                       {
                         (void) ReadBlob(image,ldblk,(char *) BImgBuff);
-                        (void) InsertRow(BImgBuff,i,image,bpp);
+                        if(InsertRow(BImgBuff,i,image,bpp) == MagickFail)
+                        {
+                          if(BImgBuff) MagickFreeMemory(BImgBuff);
+                          goto DecompressionFailed;
+                        }
                       }
 
-                    if(BImgBuff)
-                      MagickFreeMemory(BImgBuff);
+                    if(BImgBuff) MagickFreeMemory(BImgBuff);
                     break;
                   }
                 case 1:    /*RLE for WPG2 */

Places

File GraphicsMagick-CVE-2017-16669.patch of Package GraphicsMagick.8039

Places