File ImageMagick-CVE-2018-16644.patch of Package ImageMagick.29976
Index: ImageMagick-7.0.7-34/coders/pict.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/pict.c 2018-05-20 17:55:43.000000000 +0200
+++ ImageMagick-7.0.7-34/coders/pict.c 2018-09-10 14:06:04.953317800 +0200
@@ -982,6 +982,9 @@ static Image *ReadPICTImage(const ImageI
Clipping rectangle.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length != 0x000a)
{
for (i=0; i < (ssize_t) (length-2); i++)
@@ -1030,6 +1033,9 @@ static Image *ReadPICTImage(const ImageI
if (pattern != 1)
ThrowPICTException(CorruptImageError,"UnknownPatternType");
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (ReadRectangle(image,&frame) == MagickFalse)
ThrowPICTException(CorruptImageError,"ImproperImageHeader");
if (ReadPixmap(image,&pixmap) == MagickFalse)
@@ -1041,6 +1047,9 @@ static Image *ReadPICTImage(const ImageI
(void) ReadBlobMSBLong(image);
flags=(ssize_t) ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i <= (ssize_t) length; i++)
(void) ReadBlobMSBLong(image);
width=(size_t) (frame.bottom-frame.top);
@@ -1101,6 +1110,9 @@ static Image *ReadPICTImage(const ImageI
Skip polygon or region.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
if (ReadBlobByte(image) == EOF)
break;
@@ -1223,6 +1235,9 @@ static Image *ReadPICTImage(const ImageI
Skip region.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
if (ReadBlobByte(image) == EOF)
break;
@@ -1345,6 +1360,9 @@ static Image *ReadPICTImage(const ImageI
*/
type=ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length == 0)
break;
(void) ReadBlobMSBLong(image);
@@ -1454,6 +1472,9 @@ static Image *ReadPICTImage(const ImageI
ThrowPICTException(FileOpenError,"UnableToCreateTemporaryFile");
}
length=ReadBlobMSBLong(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
if (length > 154)
{
for (i=0; i < 6; i++)
@@ -1504,6 +1525,9 @@ static Image *ReadPICTImage(const ImageI
Skip reserved.
*/
length=ReadBlobMSBShort(image);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
if (ReadBlobByte(image) == EOF)
break;
@@ -1515,6 +1539,9 @@ static Image *ReadPICTImage(const ImageI
Skip reserved.
*/
length=(size_t) ((code >> 7) & 0xff);
+ if (length > GetBlobSize(image))
+ ThrowPICTException(CorruptImageError,
+ "InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
if (ReadBlobByte(image) == EOF)
break;
Index: ImageMagick-7.0.7-34/coders/dcm.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/dcm.c 2018-09-10 14:06:04.953317800 +0200
+++ ImageMagick-7.0.7-34/coders/dcm.c 2018-09-10 14:07:33.981774672 +0200
@@ -3834,6 +3834,8 @@ static Image *ReadDCMImage(const ImageIn
tag=((unsigned int) ReadBlobLSBShort(image) << 16) |
ReadBlobLSBShort(image);
length=(size_t) ReadBlobLSBLong(image);
+ if (length > (size_t) GetBlobSize(image))
+ ThrowDCMException(CorruptImageError,"InsufficientImageDataInFile");
if (tag == 0xFFFEE0DD)
break; /* sequence delimiter tag */
if (tag != 0xFFFEE000)
