File ImageMagick-CVE-2020-25675.patch of Package ImageMagick.30356
Index: ImageMagick-7.0.7-34/MagickCore/transform.c
===================================================================
--- ImageMagick-7.0.7-34.orig/MagickCore/transform.c 2018-05-20 17:55:43.000000000 +0200
+++ ImageMagick-7.0.7-34/MagickCore/transform.c 2020-12-09 16:59:43.350314051 +0100
@@ -762,14 +762,23 @@ MagickExport Image *CropImage(const Imag
%
*/
-static inline double MagickRound(double x)
+static inline double ConstrainPixelOffset(double x)
+{
+ if (x < (double) -(SSIZE_MAX-512))
+ return((double) -(SSIZE_MAX-512));
+ if (x > (double) (SSIZE_MAX-512))
+ return((double) (SSIZE_MAX-512));
+ return(x);
+}
+
+static inline ssize_t PixelRoundOffset(double x)
{
/*
Round the fraction to nearest integer.
*/
if ((x-floor(x)) < (ceil(x)-x))
- return(floor(x));
- return(ceil(x));
+ return((ssize_t) floor(ConstrainPixelOffset(x)));
+ return((ssize_t) ceil(ConstrainPixelOffset(x)));
}
MagickExport Image *CropImageToTiles(const Image *image,
@@ -834,18 +843,18 @@ MagickExport Image *CropImageToTiles(con
{
if ((flags & AspectValue) == 0)
{
- crop.y=(ssize_t) MagickRound((double) (offset.y-
+ crop.y=PixelRoundOffset((double) (offset.y-
(geometry.y > 0 ? 0 : geometry.y)));
offset.y+=delta.y; /* increment now to find width */
- crop.height=(size_t) MagickRound((double) (offset.y+
+ crop.height=(size_t) PixelRoundOffset((double) (offset.y+
(geometry.y < 0 ? 0 : geometry.y)));
}
else
{
- crop.y=(ssize_t) MagickRound((double) (offset.y-
+ crop.y=PixelRoundOffset((double) (offset.y-
(geometry.y > 0 ? geometry.y : 0)));
offset.y+=delta.y; /* increment now to find width */
- crop.height=(size_t) MagickRound((double)
+ crop.height=(size_t) PixelRoundOffset((double)
(offset.y+(geometry.y < -1 ? geometry.y : 0)));
}
crop.height-=crop.y;
@@ -854,18 +863,18 @@ MagickExport Image *CropImageToTiles(con
{
if ((flags & AspectValue) == 0)
{
- crop.x=(ssize_t) MagickRound((double) (offset.x-
+ crop.x=PixelRoundOffset((double) (offset.x-
(geometry.x > 0 ? 0 : geometry.x)));
offset.x+=delta.x; /* increment now to find height */
- crop.width=(size_t) MagickRound((double) (offset.x+
+ crop.width=(size_t) PixelRoundOffset((double) (offset.x+
(geometry.x < 0 ? 0 : geometry.x)));
}
else
{
- crop.x=(ssize_t) MagickRound((double) (offset.x-
+ crop.x=PixelRoundOffset((double) (offset.x-
(geometry.x > 0 ? geometry.x : 0)));
offset.x+=delta.x; /* increment now to find height */
- crop.width=(size_t) MagickRound((double) (offset.x+
+ crop.width=(size_t) PixelRoundOffset((double) (offset.x+
(geometry.x < 0 ? geometry.x : 0)));
}
crop.width-=crop.x;