File ImageMagick-security-exif.patch of Package ImageMagick

http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629
Index: ImageMagick-6.6.5-8/coders/jpeg.c
===================================================================
--- ImageMagick-6.6.5-8.orig/coders/jpeg.c
+++ ImageMagick-6.6.5-8/coders/jpeg.c
@@ -207,9 +207,12 @@ static MagickBooleanType IsJPEG(const un
 %    o exception: return any errors or warnings in this structure.
 %
 */
+static void JPEGErrorHandler(j_common_ptr jpeg_info);
 
 static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level)
 {
+#define JPEGExcessiveWarnings  1000
+
   char
     message[JMSG_LENGTH_MAX];
 
@@ -224,11 +227,12 @@ static MagickBooleanType EmitMessage(j_c
   image=error_manager->image;
   if (level < 0)
     {
+      if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings)
+        JPEGErrorHandler(jpeg_info);
       if ((jpeg_info->err->num_warnings == 0) ||
           (jpeg_info->err->trace_level >= 3))
         ThrowBinaryException(CorruptImageWarning,(char *) message,
           image->filename);
-      jpeg_info->err->num_warnings++;
     }
   else
     if (jpeg_info->err->trace_level >= level)
Index: ImageMagick-6.6.5-8/coders/tiff.c
===================================================================
--- ImageMagick-6.6.5-8.orig/coders/tiff.c
+++ ImageMagick-6.6.5-8/coders/tiff.c
@@ -593,7 +593,7 @@ static void TIFFGetEXIFProperties(TIFF *
           *ascii;
 
         if (TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0)
-          (void) CopyMagickMemory(value,ascii,MaxTextExtent);
+          (void) CopyMagickString(value,ascii,MaxTextExtent);
         break;
       }
       case TIFF_SHORT:
Index: ImageMagick-6.6.5-8/magick/property.c
===================================================================
--- ImageMagick-6.6.5-8.orig/magick/property.c
+++ ImageMagick-6.6.5-8/magick/property.c
@@ -1304,6 +1304,8 @@ static MagickBooleanType GetEXIFProperty
         break;
       components=(int) ReadPropertyLong(endian,q+4);
       number_bytes=(size_t) components*tag_bytes[format];
+      if (number_bytes < components)
+        break;  /* prevent overflow */
       if (number_bytes <= 4)
         p=q+8;
       else
@@ -1327,6 +1329,8 @@ static MagickBooleanType GetEXIFProperty
             buffer[MaxTextExtent],
             *value;
 
+          value=(char *) NULL;
+          *buffer='\0';
           switch (format)
           {
             case EXIF_FMT_BYTE:
Index: ImageMagick-6.6.5-8/magick/profile.c
===================================================================
--- ImageMagick-6.6.5-8.orig/magick/profile.c
+++ ImageMagick-6.6.5-8/magick/profile.c
@@ -1738,8 +1738,10 @@
       format=(long) ReadProfileShort(endian,q+2);
       if ((format-1) >= EXIF_NUM_FORMATS)
         break;
-      components=(long) ReadProfileLong(endian,q+4);
+      components=(ssize_t) ((int) ReadProfileLong(endian,q+4));
       number_bytes=(size_t) components*format_bytes[format];
+      if (number_bytes < components)
+        break;  /* prevent overflow */
       if (number_bytes <= 4)
         p=q+8;
       else