Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:13.2:Update
ImageMagick
ImageMagick-CVE-2014-9806.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2014-9806.patch of Package ImageMagick
From 9fdb9bf2832a1aa2c79002ae5c2ba1e8018e4ff1 Mon Sep 17 00:00:00 2001 From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Thu, 6 Nov 2014 21:09:54 +0000 Subject: Added missing calls to RelinquishUniqueFileResource. Avoid to leak fd in case of error. git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16971 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/16971 --- coders/dcm.c | 28 +++++++++++++--------------- coders/dot.c | 5 ++++- coders/exr.c | 10 +++++++++- coders/pict.c | 2 ++ coders/pwp.c | 6 +++++- 5 files changed, 33 insertions(+), 18 deletions(-) diff --git a/coders/dcm.c b/coders/dcm.c index 88892ee..b8fe681 100644 --- a/coders/dcm.c +++ b/coders/dcm.c @@ -3563,34 +3563,32 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) unsigned int tag; + tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image); + length=(size_t) ReadBlobLSBLong(image); + if (tag == 0xFFFEE0DD) + break; /* sequence delimiter tag */ + if (tag != 0xFFFEE000) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); file=(FILE *) NULL; unique_file=AcquireUniqueFileResource(filename); if (unique_file != -1) file=fdopen(unique_file,"wb"); - if ((unique_file == -1) || (file == (FILE *) NULL)) + if (file == (FILE *) NULL) { + (void) RelinquishUniqueFileResource(filename); ThrowFileException(exception,FileOpenError, "UnableToCreateTemporaryFile",filename); break; } - tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image); - length=(size_t) ReadBlobLSBLong(image); - if (tag == 0xFFFEE0DD) - { - (void) fclose(file); - break; /* sequence delimiter tag */ - } - if (tag != 0xFFFEE000) - { - (void) fclose(file); - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); - } for ( ; length != 0; length--) { c=ReadBlobByte(image); if (c == EOF) - ThrowFileException(exception,CorruptImageError, - "UnexpectedEndOfFile",image->filename); + { + ThrowFileException(exception,CorruptImageError, + "UnexpectedEndOfFile",image->filename); + break; + } (void) fputc(c,file); } (void) fclose(file); diff --git a/coders/dot.c b/coders/dot.c index e60be46..32acb9e 100644 --- a/coders/dot.c +++ b/coders/dot.c @@ -142,7 +142,10 @@ static Image *ReadDOTImage(const ImageInfo *image_info,ExceptionInfo *exception) graph=agread(GetBlobFileHandle(image),(Agdisc_t *) NULL); #endif if (graph == (graph_t *) NULL) - return ((Image *) NULL); + { + (void) RelinquishUniqueFileResource(read_info->filename); + return ((Image *) NULL); + } option=GetImageOption(image_info,"dot:layout-engine"); if (option == (const char *) NULL) gvLayout(graphic_context,graph,(char *) "dot"); diff --git a/coders/exr.c b/coders/exr.c index 11407f2..b12f956 100644 --- a/coders/exr.c +++ b/coders/exr.c @@ -192,6 +192,8 @@ static Image *ReadEXRImage(const ImageInfo *image_info,ExceptionInfo *exception) { ThrowFileException(exception,BlobError,"UnableToOpenBlob", ImfErrorMessage()); + if (LocaleCompare(image_info->filename,read_info->filename) != 0) + (void) RelinquishUniqueFileResource(read_info->filename); read_info=DestroyImageInfo(read_info); return((Image *) NULL); } @@ -214,6 +216,9 @@ static Image *ReadEXRImage(const ImageInfo *image_info,ExceptionInfo *exception) if (scanline == (ImfRgba *) NULL) { (void) ImfCloseInputFile(file); + if (LocaleCompare(image_info->filename,read_info->filename) != 0) + (void) RelinquishUniqueFileResource(read_info->filename); + read_info=DestroyImageInfo(read_info); ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); } for (y=0; y < (ssize_t) image->rows; y++) @@ -417,15 +422,18 @@ static MagickBooleanType WriteEXRImage(const ImageInfo *image_info,Image *image) ImfDeleteHeader(hdr_info); if (file == (ImfOutputFile *) NULL) { + (void) RelinquishUniqueFileResource(write_info->filename); + write_info=DestroyImageInfo(write_info); ThrowFileException(&image->exception,BlobError,"UnableToOpenBlob", ImfErrorMessage()); - write_info=DestroyImageInfo(write_info); return(MagickFalse); } scanline=(ImfRgba *) AcquireQuantumMemory(image->columns,sizeof(*scanline)); if (scanline == (ImfRgba *) NULL) { (void) ImfCloseOutputFile(file); + (void) RelinquishUniqueFileResource(write_info->filename); + write_info=DestroyImageInfo(write_info); ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); } ResetMagickMemory(scanline,0,image->columns*sizeof(*scanline)); diff --git a/coders/pict.c b/coders/pict.c index f47e06c..35fb56e 100644 --- a/coders/pict.c +++ b/coders/pict.c @@ -1388,6 +1388,7 @@ static Image *ReadPICTImage(const ImageInfo *image_info, { if (file != (FILE *) NULL) (void) fclose(file); + (void) RelinquishUniqueFileResource(read_info->filename); (void) CopyMagickString(image->filename,read_info->filename, MaxTextExtent); ThrowFileException(exception,FileOpenError, @@ -1401,6 +1402,7 @@ static Image *ReadPICTImage(const ImageInfo *image_info, if (ReadRectangle(image,&frame) == MagickFalse) { (void) fclose(file); + (void) RelinquishUniqueFileResource(read_info->filename); ThrowReaderException(CorruptImageError,"ImproperImageHeader"); } for (i=0; i < 122; i++) diff --git a/coders/pwp.c b/coders/pwp.c index a7dd842..991d4bb 100644 --- a/coders/pwp.c +++ b/coders/pwp.c @@ -192,7 +192,10 @@ static Image *ReadPWPImage(const ImageInfo *image_info,ExceptionInfo *exception) if (c == EOF) break; if (LocaleNCompare((char *) (magick+12),"SFW94A",6) != 0) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + { + (void) RelinquishUniqueFileResource(read_info->filename); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } /* Dump SFW image to a temporary file. */ @@ -201,6 +204,7 @@ static Image *ReadPWPImage(const ImageInfo *image_info,ExceptionInfo *exception) file=fdopen(unique_file,"wb"); if ((unique_file == -1) || (file == (FILE *) NULL)) { + (void) RelinquishUniqueFileResource(read_info->filename); ThrowFileException(exception,FileOpenError,"UnableToWriteFile", image->filename); image=DestroyImageList(image); -- cgit v0.12
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor