Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.4
ImageMagick.474
ImageMagick-security-dos.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-security-dos.patch of Package ImageMagick.474
http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286 (note the date of announcement in contrast with date of patch) Index: ImageMagick-6.6.5-8/magick/profile.c =================================================================== --- ImageMagick-6.6.5-8.orig/magick/profile.c +++ ImageMagick-6.6.5-8/magick/profile.c @@ -1827,12 +1827,13 @@ MagickExport MagickBooleanType SyncImage EndianType endian; - int - offset; + SplayTreeInfo + *exif_resources; ssize_t id, - level; + level, + offset; size_t entry, @@ -1889,12 +1890,14 @@ MagickExport MagickBooleanType SyncImage /* This the offset to the first IFD. */ - offset=(int) ReadProfileLong(endian,exif+4); - if ((size_t) offset >= length) + offset=(ssize_t) ((int) ReadProfileLong(endian,exif+4)); + if ((offset < 0) || ((size_t) offset >= length)) return(MagickFalse); directory=exif+offset; level=0; entry=0; + exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL, + (void *(*)(void *)) NULL,(void *(*)(void *)) NULL); do { if (level > 0) @@ -1924,6 +1927,9 @@ MagickExport MagickBooleanType SyncImage number_bytes; q=(unsigned char *) (directory+2+(12*entry)); + if (GetValueFromSplayTree(exif_resources,q) == q) + break; + (void) AddValueToSplayTree(exif_resources,q,q); tag_value=(ssize_t) ReadProfileShort(endian,q); format=(ssize_t) ReadProfileShort(endian,q+2); if ((format-1) >= EXIF_NUM_FORMATS) @@ -1934,13 +1940,15 @@ MagickExport MagickBooleanType SyncImage p=q+8; else { - int + ssize_t offset; /* The directory entry contains an offset. */ - offset=(int) ReadProfileLong(endian,q+8); + offset=(ssize_t) ((int) ReadProfileLong(endian,q+8)); + if ((offset+number_bytes) < offset) + continue; /* prevent overflow */ if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset); @@ -1949,28 +1957,25 @@ MagickExport MagickBooleanType SyncImage { case 0x011a: { - (void) WriteProfileLong(endian,(size_t) - (image->x_resolution+0.5),p); + (void) WriteProfileLong(endian,(size_t) (image->x_resolution+0.5),p); (void) WriteProfileLong(endian,1UL,p+4); break; } case 0x011b: { - (void) WriteProfileLong(endian,(size_t) - (image->y_resolution+0.5),p); + (void) WriteProfileLong(endian,(size_t) (image->y_resolution+0.5),p); (void) WriteProfileLong(endian,1UL,p+4); break; } case 0x0112: { - (void) WriteProfileShort(endian,(unsigned short) - image->orientation,p); + (void) WriteProfileShort(endian,(unsigned short) image->orientation, + p); break; } case 0x0128: { - (void) WriteProfileShort(endian,(unsigned short) - (image->units+1),p); + (void) WriteProfileShort(endian,(unsigned short) (image->units+1),p); break; } default: @@ -1978,11 +1983,11 @@ MagickExport MagickBooleanType SyncImage } if ((tag_value == TAG_EXIF_OFFSET) || (tag_value == TAG_INTEROP_OFFSET)) { - size_t + ssize_t offset; - offset=(size_t) ReadProfileLong(endian,p); - if ((offset < length) && (level < (MaxDirectoryStack-2))) + offset=(ssize_t) ((int) ReadProfileLong(endian,p)); + if (((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=directory; entry++; @@ -1993,9 +1998,9 @@ MagickExport MagickBooleanType SyncImage level++; if ((directory+2+(12*number_entries)) > (exif+length)) break; - offset=(size_t) ReadProfileLong(endian,directory+2+(12* - number_entries)); - if ((offset != 0) && (offset < length) && + offset=(ssize_t) ((int) ReadProfileLong(endian,directory+2+(12* + number_entries))); + if ((offset != 0) && ((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=exif+offset; @@ -2007,5 +2012,6 @@ MagickExport MagickBooleanType SyncImage } } } while (level > 0); + exif_resources=DestroySplayTree(exif_resources); return(MagickTrue); } Index: ImageMagick-6.6.5-8/magick/property.c =================================================================== --- ImageMagick-6.6.5-8.orig/magick/property.c +++ ImageMagick-6.6.5-8/magick/property.c @@ -459,6 +459,13 @@ static inline ssize_t MagickMax(const ss return(y); } +static inline ssize_t MagickMin(const ssize_t x,const ssize_t y) +{ + if (x < y) + return(x); + return(y); +} + static inline int ReadPropertyByte(const unsigned char **p,size_t *length) { int @@ -593,7 +600,7 @@ static MagickBooleanType Get8BIMProperty continue; if (ReadPropertyByte(&info,&length) != (unsigned char) 'M') continue; - id=(ssize_t) ReadPropertyMSBShort(&info,&length); + id=(ssize_t) ((int) ReadPropertyMSBShort(&info,&length)); if (id < (ssize_t) start) continue; if (id > (ssize_t) stop) @@ -624,7 +631,7 @@ static MagickBooleanType Get8BIMProperty No name match, scroll forward and try next. */ info+=count; - length-=count; + length-=MagickMin(count,(ssize_t) length); continue; } if ((*name == '#') && (sub_number != 1)) @@ -634,7 +641,7 @@ static MagickBooleanType Get8BIMProperty */ sub_number--; info+=count; - length-=count; + length-=MagickMin(count,(ssize_t) length); continue; } /* @@ -649,7 +656,7 @@ static MagickBooleanType Get8BIMProperty (void) CopyMagickMemory(attribute,(char *) info,(size_t) count); attribute[count]='\0'; info+=count; - length-=count; + length-=MagickMin(count,(ssize_t) length); if ((id <= 1999) || (id >= 2999)) (void) SetImageProperty((Image *) image,key,(const char *) attribute); @@ -789,7 +796,9 @@ static MagickBooleanType GetEXIFProperty *directory; size_t - entry, + entry; + + ssize_t offset; } DirectoryInfo; @@ -1095,6 +1104,7 @@ static MagickBooleanType GetEXIFProperty all, id, level, + tag_offset, tag_value; register ssize_t @@ -1112,9 +1122,11 @@ static MagickBooleanType GetEXIFProperty size_t entry, number_entries, - tag_offset, tag; + SplayTreeInfo + *exif_resources; + /* If EXIF data exists, then try to parse the request for a tag. */ @@ -1225,7 +1237,7 @@ static MagickBooleanType GetEXIFProperty } if (length < 16) return(MagickFalse); - id=(ssize_t) ReadPropertyShort(LSBEndian,exif); + id=(ssize_t) ((int) ReadPropertyShort(LSBEndian,exif)); endian=LSBEndian; if (id == 0x4949) endian=LSBEndian; @@ -1240,7 +1252,7 @@ static MagickBooleanType GetEXIFProperty This the offset to the first IFD. */ offset=(int) ReadPropertyLong(endian,exif+4); - if ((size_t) offset >= length) + if ((offset < 0) || (size_t) offset >= length) return(MagickFalse); /* Set the pointer to the first IFD and follow it were it leads. @@ -1249,6 +1261,8 @@ static MagickBooleanType GetEXIFProperty level=0; entry=0; tag_offset=0; + exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL, + (void *(*)(void *)) NULL,(void *(*)(void *)) NULL); do { /* @@ -1264,7 +1278,7 @@ static MagickBooleanType GetEXIFProperty /* Determine how many entries there are in the current IFD. */ - number_entries=ReadPropertyShort(endian,directory); + number_entries=(size_t) ((int) ReadPropertyShort(endian,directory)); for ( ; entry < number_entries; entry++) { ssize_t @@ -1280,9 +1294,12 @@ static MagickBooleanType GetEXIFProperty size_t format; - q=(unsigned char *) (directory+2+(12*entry)); - tag_value=(ssize_t) (ReadPropertyShort(endian,q)+tag_offset); - format=(size_t) ReadPropertyShort(endian,q+2); + q=(unsigned char *) (directory+(12*entry)+2); + if (GetValueFromSplayTree(exif_resources,q) == q) + break; + (void) AddValueToSplayTree(exif_resources,q,q); + tag_value=(ssize_t) ((int) ReadPropertyShort(endian,q)+tag_offset); + format=(size_t) ((int) ReadPropertyShort(endian,q+2)); if (format >= (sizeof(tag_bytes)/sizeof(*tag_bytes))) break; components=(int) ReadPropertyLong(endian,q+4); @@ -1298,6 +1315,8 @@ static MagickBooleanType GetEXIFProperty The directory entry contains an offset. */ offset=(int) ReadPropertyLong(endian,q+8); + if ((offset+number_bytes) < offset) + continue; /* prevent overflow */ if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset); @@ -1335,7 +1354,7 @@ static MagickBooleanType GetEXIFProperty case EXIF_FMT_ULONG: { EXIFMultipleValues(4,"%.20g",(double) - ReadPropertyLong(endian,p1)); + ((int) ReadPropertyLong(endian,p1))); break; } case EXIF_FMT_SLONG: @@ -1347,8 +1366,8 @@ static MagickBooleanType GetEXIFProperty case EXIF_FMT_URATIONAL: { EXIFMultipleFractions(8,"%.20g/%.20g",(double) - ReadPropertyLong(endian,p1),(double) - ReadPropertyLong(endian,p1+4)); + ((int) ReadPropertyLong(endian,p1)),(double) + ((int) ReadPropertyLong(endian,p1+4))); break; } case EXIF_FMT_SRATIONAL: @@ -1449,19 +1468,19 @@ static MagickBooleanType GetEXIFProperty } } if ((tag_value == TAG_EXIF_OFFSET) || - (tag_value == TAG_INTEROP_OFFSET) || - (tag_value == TAG_GPS_OFFSET)) + (tag_value == TAG_INTEROP_OFFSET) || (tag_value == TAG_GPS_OFFSET)) { - size_t + ssize_t offset; - offset=(size_t) ReadPropertyLong(endian,p); - if ((offset < length) && (level < (MaxDirectoryStack-2))) + offset=(ssize_t) ((int) ReadPropertyLong(endian,p)); + if (((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { - size_t + ssize_t tag_offset1; - tag_offset1=(tag_value == TAG_GPS_OFFSET) ? 0x10000UL : 0UL; + tag_offset1=(ssize_t) ((tag_value == TAG_GPS_OFFSET) ? 0x10000 : + 0); directory_stack[level].directory=directory; entry++; directory_stack[level].entry=entry; @@ -1473,9 +1492,9 @@ static MagickBooleanType GetEXIFProperty level++; if ((directory+2+(12*number_entries)) > (exif+length)) break; - offset=(size_t) ReadPropertyLong(endian,directory+2+(12* - number_entries)); - if ((offset != 0) && (offset < length) && + offset=(ssize_t) ((int) ReadPropertyLong(endian,directory+2+(12* + number_entries))); + if ((offset != 0) && ((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=exif+offset; @@ -1488,6 +1507,7 @@ static MagickBooleanType GetEXIFProperty } } } while (level > 0); + exif_resources=DestroySplayTree(exif_resources); return(MagickTrue); } @@ -1629,7 +1649,7 @@ static char *TracePSClippath(const unsig in_subpath=MagickFalse; while (length > 0) { - selector=(ssize_t) ReadPropertyMSBShort(&blob,&length); + selector=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); switch (selector) { case 0: @@ -1638,15 +1658,15 @@ static char *TracePSClippath(const unsig if (knot_count != 0) { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* Expected subpath length record. */ - knot_count=(ssize_t) ReadPropertyMSBShort(&blob,&length); + knot_count=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); blob+=22; - length-=22; + length-=MagickMin(22,(ssize_t) length); break; } case 1: @@ -1660,7 +1680,7 @@ static char *TracePSClippath(const unsig Unexpected subpath knot */ blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* @@ -1672,8 +1692,8 @@ static char *TracePSClippath(const unsig xx, yy; - yy=ReadPropertyMSBLong(&blob,&length); - xx=ReadPropertyMSBLong(&blob,&length); + yy=(size_t) ((int) ReadPropertyMSBLong(&blob,&length)); + xx=(size_t) ((int) ReadPropertyMSBLong(&blob,&length)); x=(ssize_t) xx; if (xx > 2147483647) x=(ssize_t) xx-4294967295-1; @@ -1761,7 +1781,7 @@ static char *TracePSClippath(const unsig default: { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } } @@ -1826,7 +1846,7 @@ static char *TraceSVGClippath(const unsi in_subpath=MagickFalse; while (length != 0) { - selector=(ssize_t) ReadPropertyMSBShort(&blob,&length); + selector=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); switch (selector) { case 0: @@ -1835,15 +1855,15 @@ static char *TraceSVGClippath(const unsi if (knot_count != 0) { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* Expected subpath length record. */ - knot_count=(ssize_t) ReadPropertyMSBShort(&blob,&length); + knot_count=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); blob+=22; - length-=22; + length-=MagickMin(22,(ssize_t) length); break; } case 1: @@ -1857,7 +1877,7 @@ static char *TraceSVGClippath(const unsi Unexpected subpath knot. */ blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* @@ -1932,7 +1952,7 @@ static char *TraceSVGClippath(const unsi default: { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor