File ImageMagick-security-exif.patch of Package ImageMagick.1463

http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629
Index: ImageMagick-6.7.2-7/coders/jpeg.c
===================================================================
--- ImageMagick-6.7.2-7.orig/coders/jpeg.c
+++ ImageMagick-6.7.2-7/coders/jpeg.c
@@ -301,6 +301,8 @@ static MagickBooleanType JPEGErrorHandle
 
 static MagickBooleanType JPEGWarningHandler(j_common_ptr jpeg_info,int level)
 {
+#define JPEGExcessiveWarnings  1000
+
   char
     message[JMSG_LENGTH_MAX];
 
@@ -319,11 +321,12 @@ static MagickBooleanType JPEGWarningHand
         Process warning message.
       */
       (jpeg_info->err->format_message)(jpeg_info,message);
+      if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings)
+        JPEGErrorHandler(jpeg_info);
       if ((jpeg_info->err->num_warnings == 0) ||
           (jpeg_info->err->trace_level >= 3))
         ThrowBinaryException(CorruptImageWarning,(char *) message,
           image->filename);
-      jpeg_info->err->num_warnings++;
     }
   else
     if ((image->debug != MagickFalse) &&
Index: ImageMagick-6.7.2-7/coders/tiff.c
===================================================================
--- ImageMagick-6.7.2-7.orig/coders/tiff.c
+++ ImageMagick-6.7.2-7/coders/tiff.c
@@ -604,7 +604,7 @@ static void TIFFGetEXIFProperties(TIFF *
         ascii=(char *) NULL;
         if ((TIFFGetField(tiff,exif_info[i].tag,&ascii,&sans) != 0) &&
             (ascii != (char *) NULL) && (*ascii != '\0'))
-          (void) CopyMagickMemory(value,ascii,MaxTextExtent);
+          (void) CopyMagickString(value,ascii,MaxTextExtent);
         break;
       }
       case TIFF_SHORT:
Index: ImageMagick-6.7.2-7/magick/property.c
===================================================================
--- ImageMagick-6.7.2-7.orig/magick/property.c
+++ ImageMagick-6.7.2-7/magick/property.c
@@ -1269,6 +1269,8 @@ static MagickBooleanType GetEXIFProperty
         break;
       components=(ssize_t) ((int) ReadPropertyLong(endian,q+4));
       number_bytes=(size_t) components*tag_bytes[format];
+      if (number_bytes < components)
+        break;  /* prevent overflow */
       if (number_bytes <= 4)
         p=q+8;
       else
@@ -1290,6 +1292,8 @@ static MagickBooleanType GetEXIFProperty
             buffer[MaxTextExtent],
             *value;
 
+          value=(char *) NULL;
+          *buffer='\0';
           switch (format)
           {
             case EXIF_FMT_BYTE:
Index: ImageMagick-6.7.2-7/magick/profile.c
===================================================================
--- ImageMagick-6.7.2-7.orig/magick/profile.c
+++ ImageMagick-6.7.2-7/magick/profile.c
@@ -1927,8 +1927,10 @@ MagickExport MagickBooleanType SyncImage
       format=(ssize_t) ReadProfileShort(endian,q+2);
       if ((format-1) >= EXIF_NUM_FORMATS)
         break;
-      components=(int) ReadProfileLong(endian,q+4);
+      components=(ssize_t) ((int) ReadProfileLong(endian,q+4));
       number_bytes=(size_t) components*format_bytes[format];
+      if (number_bytes < components)
+        break;  /* prevent overflow */
       if (number_bytes <= 4)
         p=q+8;
       else