Overview

File ImageMagick-CVE-2016-10064.patch of Package ImageMagick.7150

From f8877abac8e568b2f339cca70c2c3c1b6eaec288 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 6 Jul 2016 08:15:57 -0400
Subject: [PATCH] Improve buffer flow sanity check

---
 coders/tiff.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

Index: ImageMagick-6.8.8-1/coders/tiff.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/tiff.c	2017-01-25 11:29:58.133899384 +0100
+++ ImageMagick-6.8.8-1/coders/tiff.c	2017-01-25 11:32:11.787754923 +0100
@@ -204,6 +205,23 @@ static MagickBooleanType
   WriteTIFFImage(const ImageInfo *,Image *);
 #endif
 
+
+static MagickBooleanType CheckMemoryOverflow(const size_t count,
+  const size_t quantum)
+{
+  size_t
+    size;
+
+  size=count*quantum;
+  if ((count == 0) || (quantum != (size/count)))
+    {
+      errno=ENOMEM;
+      return(MagickTrue);
+    }
+  return(MagickFalse);
+}
+
+
 /*
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %                                                                             %
@@ -1630,14 +1648,13 @@ RestoreMSCWarning
           }
         (void) SetImageStorageClass(image,DirectClass);
         number_pixels=(MagickSizeType) columns*rows;
-        if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
-            (number_pixels*sizeof(uint32))))
+        if (CheckMemoryOverflow(rows,sizeof(*tile_pixels)) != MagickFalse)
           {
             TIFFClose(tiff);
             ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           }
-        tile_pixels=(uint32 *) AcquireQuantumMemory(number_pixels,
-          sizeof(*tile_pixels));
+        tile_pixels=(uint32 *) AcquireQuantumMemory(columns,
+          rows*sizeof(*tile_pixels));
         if (tile_pixels == (uint32 *) NULL)
           {
             TIFFClose(tiff);
@@ -1739,14 +1756,13 @@ RestoreMSCWarning
           Convert TIFF image to DirectClass MIFF image.
         */
         number_pixels=(MagickSizeType) image->columns*image->rows;
-        if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
-            (number_pixels*sizeof(uint32))))
+        if (CheckMemoryOverflow(image->rows,sizeof(*pixels)) != MagickFalse)
           {
             TIFFClose(tiff);
             ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           }
         pixel_info=AcquireVirtualMemory(image->columns,image->rows*
-          sizeof(uint32));
+          sizeof(*pixels));
         if (pixel_info == (MemoryInfo *) NULL)
           {
             TIFFClose(tiff);
openSUSE Build Service is sponsored by
Places