File GraphicsMagick-CVE-2019-11010.patch of Package GraphicsMagick

Overview Repositories Revisions Requests Users Attributes Meta

File GraphicsMagick-CVE-2019-11010.patch of Package GraphicsMagick

diff -r 4188ef30df01 -r a348d9661019 coders/mpc.c
--- a/coders/mpc.c	Sun Mar 31 15:52:56 2019 -0500
+++ b/coders/mpc.c	Sun Mar 31 16:53:39 2019 -0500
@@ -823,15 +823,34 @@
       {
         for (i=0; i < (long) number_of_profiles; i++)
         {
-          if (profiles[i].length == 0)
-            continue;
-          profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
-          if (profiles[i].info == (unsigned char *) NULL)
-            ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
-              image);
-          (void) ReadBlob(image,profiles[i].length,profiles[i].info);
-          (void) SetImageProfile(image,profiles[i].name,profiles[i].info,
-                                 profiles[i].length);
+          if (profiles[i].length > 0)
+            {
+              if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) &&
+                  ((BlobIsSeekable(image)
+                    && (GetBlobSize(image) - TellBlob(image)) >
+                    (magick_off_t) profiles[i].length) ||
+                   (profiles[i].length < 15*1024*1024)))
+                {
+                  profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
+                  if (profiles[i].info == (unsigned char *) NULL)
+                    ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
+                                             image);
+                  if (ReadBlob(image,profiles[i].length,profiles[i].info)
+                      != profiles[i].length)
+                    ThrowMPCReaderException(CorruptImageError,
+                                             UnexpectedEndOfFile,
+                                             image);
+                  (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+                }
+              else
+                {
+                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                                        "Profile size %" MAGICK_SIZE_T_F "u is excessively large",
+                                        (MAGICK_SIZE_T ) profiles[i].length);
+                  ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,
+                                           image);
+                }
+            }
           MagickFreeMemory(profiles[i].name);
           MagickFreeMemory(profiles[i].info);
         }

Places

File GraphicsMagick-CVE-2019-11010.patch of Package GraphicsMagick

Places