File ImageMagick-CVE-2020-27772.patch of Package ImageMagick.30356
Index: ImageMagick-7.0.7-34/coders/bmp.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/bmp.c 2020-12-07 15:15:37.990680742 +0100
+++ ImageMagick-7.0.7-34/coders/bmp.c 2020-12-07 15:16:16.878941021 +0100
@@ -2233,6 +2233,45 @@ static MagickBooleanType WriteBMPImage(c
(void) WriteBlobLSBLong(image,bmp_info.blue_mask);
(void) WriteBlobLSBLong(image,bmp_info.alpha_mask);
(void) WriteBlobLSBLong(image,0x73524742U); /* sRGB */
+
+ // bounds check, assign .0 if invalid value
+ if( isgreater(image->chromaticity.red_primary.x, 1.0) ||
+ !isgreater(image->chromaticity.red_primary.x, 0.0)) {
+ image->chromaticity.red_primary.x = 0.0;
+ }
+ if( isgreater(image->chromaticity.red_primary.y, 1.0) ||
+ !isgreater(image->chromaticity.red_primary.y, 0.0)) {
+ image->chromaticity.red_primary.y = 0.0;
+ }
+ if( isgreater(image->chromaticity.green_primary.x, 1.0) ||
+ !isgreater(image->chromaticity.green_primary.x, 0.0)) {
+ image->chromaticity.green_primary.x = 0.0;
+ }
+ if( isgreater(image->chromaticity.green_primary.y, 1.0) ||
+ !isgreater(image->chromaticity.green_primary.y, 0.0)) {
+ image->chromaticity.green_primary.y = 0.0;
+ }
+ if( isgreater(image->chromaticity.blue_primary.x, 1.0) ||
+ !isgreater(image->chromaticity.blue_primary.x, 0.0)) {
+ image->chromaticity.blue_primary.x = 0.0;
+ }
+ if( isgreater(image->chromaticity.blue_primary.y, 1.0) ||
+ !isgreater(image->chromaticity.blue_primary.y, 0.0)) {
+ image->chromaticity.blue_primary.y = 0.0;
+ }
+ if( isgreater(bmp_info.gamma_scale.x, 1.0) ||
+ !isgreater(bmp_info.gamma_scale.x, 0.0)) {
+ bmp_info.gamma_scale.x = 0.0;
+ }
+ if( isgreater(bmp_info.gamma_scale.y, 1.0) ||
+ !isgreater(bmp_info.gamma_scale.y, 0.0)) {
+ bmp_info.gamma_scale.y = 0.0;
+ }
+ if( isgreater(bmp_info.gamma_scale.z, 1.0) ||
+ !isgreater(bmp_info.gamma_scale.z, 0.0)) {
+ bmp_info.gamma_scale.z = 0.0;
+ }
+
(void) WriteBlobLSBLong(image,(unsigned int)
(image->chromaticity.red_primary.x*0x40000000));
(void) WriteBlobLSBLong(image,(unsigned int)